GHSA-x8q8-4hp5-463w

Source

https://github.com/advisories/GHSA-x8q8-4hp5-463w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x8q8-4hp5-463w/GHSA-x8q8-4hp5-463w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x8q8-4hp5-463w

Aliases

CVE-2015-3337

Published

2022-05-17T04:12:25Z

Modified

2024-12-07T05:39:54.158518Z

Summary

Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch

Details

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

Database specific

{
    "nvd_published_at": "2015-05-01T15:59:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:16:27Z"
}

References

Affected packages

Maven / org.elasticsearch:elasticsearch

Package

Name: org.elasticsearch:elasticsearch; View open source insights on deps.dev
Purl: pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.5

Affected versions

0.*

0.6.0

0.7.0

0.7.1

0.8.0

0.9.0

0.10.0

0.11.0

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.17.6

0.17.7

0.17.8

0.17.9

0.17.10

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.18.5

0.18.6

0.18.7

0.19.0.RC1

0.19.0.RC2

0.19.0.RC3

0.19.0

0.19.1

0.19.2

0.19.3

0.19.4

0.19.5

0.19.6

0.19.7

0.19.8

0.19.9

0.19.10

0.19.11

0.19.12

0.20.0.RC1

0.20.0

0.20.1

0.20.2

0.20.3

0.20.4

0.20.5

0.20.6

0.90.0.Beta1

0.90.0.RC1

0.90.0.RC2

0.90.0

0.90.1

0.90.2

0.90.3

0.90.4

0.90.5

0.90.6

0.90.7

0.90.8

0.90.9

0.90.10

0.90.11

0.90.12

0.90.13

1.*

1.0.0.Beta1

1.0.0.Beta2

1.0.0.RC1

1.0.0.RC2

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.4.0.Beta1

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

Database specific

{
    "last_known_affected_version_range": "<= 1.4.4"
}

Maven / org.elasticsearch:elasticsearch

Package

Name: org.elasticsearch:elasticsearch; View open source insights on deps.dev
Purl: pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.2

Affected versions

1.*

1.5.0

1.5.1

Database specific

{
    "last_known_affected_version_range": "<= 1.5.1"
}