Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2015-4165
HistoryAug 09, 2017 - 4:29 p.m.

CVE-2015-4165

2017-08-0916:29:00
CWE-264
[email protected]
web.nvd.nist.gov
56
cve-2015-4165
elasticsearch
snapshot api
remote authenticated users
arbitrary code execution
security vulnerability
nvd

6 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.1%

JSON

The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application can read and execute from, allows remote authenticated users to write to and create arbitrary snapshot metadata files, and potentially execute arbitrary code.

Affected configurations

NVD
Node
elasticsearchelasticsearchMatch1.5.2

Related

nessus 1
ubuntucve 1
zdt 1
openvas 1
prion 1
nvd 1
github 1
cvelist 1
freebsd 1
osv 1
securityvulns 2
nessus
nessus
FreeBSD : elasticsearch -- security fix for shared file-system repositories (23232028-1ba4-11e5-b43d-002590263bf5)
2015-06-26 00:00:00
ubuntucve
ubuntucve
CVE-2015-4165
2017-08-09 00:00:00
zdt
zdt
Elasticsearch 1.5.2 File Creation Vulnerability
2015-06-10 00:00:00
openvas
openvas
Elasticsearch < 1.6.0 Arbitrary Code Execution Vulnerability
2018-03-01 00:00:00
prion
prion
Code injection
2017-08-09 16:29:00
nvd
nvd
CVE-2015-4165
2017-08-09 16:29:00
github
github
Improper Access Control in Elasticsearch
2022-05-14 02:48:29
cvelist
cvelist
CVE-2015-4165
2017-08-09 16:00:00
freebsd
freebsd
elasticsearch -- security fix for shared file-system repositories
2015-06-09 00:00:00
osv
osv
Improper Access Control in Elasticsearch
2022-05-14 02:48:29
securityvulns
securityvulns
Elasticsearch files access
2015-06-14 00:00:00
Elasticsearch vulnerability CVE-2015-4165
2015-06-14 00:00:00

6 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.1%

JSON
Related for CVE-2015-4165
nessus1ubuntucve1zdt1openvas1prion1nvd1github1cvelist1freebsd1osv1securityvulns2