Lucene search

GitHub Advisory DatabaseGHSA-8699-M855-CWQF

HistoryMay 14, 2022 - 2:51 a.m.

Cross-site scripting in Elasticsearch

2022-05-1402:51:14

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.3%

JSON

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Affected configurations

Vulners

Node

org.elasticsearch\Matchelasticsearch

CPENameOperatorVersion
org.elasticsearch:elasticsearchlt1.4.0.Beta1

CPE	Name	Operator	Version
	org.elasticsearch:elasticsearch	lt	1.4.0.Beta1

References

packetstormsecurity.com/files/128556/Elasticsearch-1.3.x-CORS-Issue.html

www.elasticsearch.org/blog/elasticsearch-1-4-0-beta-released/

www.securityfocus.com/archive/1/533602/100/0/threaded

www.securityfocus.com/bid/70233

github.com/advisories/GHSA-8699-m855-cwqf

nvd.nist.gov/vuln/detail/CVE-2014-6439

www.elastic.co/community/security/

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.3%

JSON

Related for GHSA-8699-M855-CWQF