XML External Entity Injection in Elastic App Search by Elastic
CVE-2021-22140

7.5HIGH

Key Information:

Vendor: Elastic
Status: Elastic App Search
Vendor: CVE Published:; 13 May 2021

Summary

Elastic App Search contains a vulnerability in the web crawler beta feature that allows for an XML External Entity Injection (XXE). An attacker can leverage this flaw by crafting a malicious sitemap.xml while their website is being crawled. This may allow the attacker to traverse the filesystem of the host running the instance of App Search, potentially exposing sensitive files and data.

Affected Version(s)

Elastic App Search after 7.11.0 and before 7.12.0

References

https://discuss.elastic.co/t/7-12-1-security-update/271433

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 13, 2021
Vulnerability Reserved
Jan 4, 2021