CVE-2021-22140

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-22140

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22140.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-22140

Published

2021-05-13T18:15:09Z

Modified

2025-01-14T08:53:32.213616Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

References

https://discuss.elastic.co/t/7-12-1-security-update/271433

Affected packages

Git / github.com/elastic/app-search-php

Affected ranges

Type: GIT
Repo: https://github.com/elastic/app-search-php
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7350dc9e2f741ea90f6d0e16c608b6b56d8a43d6

Affected versions

1.*

1.0.0

1.0.1

1.0.2

7.*

7.10.0

7.11.1

7.2.0

7.3.0

7.4.0

7.5.0

7.6.0

7.7.0

7.8.0

7.9.0