CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-7611 – elasticsearch: Improper permission issue when attaching a new name to an index
https://notcve.org/view.php?id=CVE-2019-7611
25 Mar 2019 — A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a ... • https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 • CWE-284: Improper Access Control CWE-285: Improper Authorization •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2018-17247
https://notcve.org/view.php?id=CVE-2018-17247
20 Dec 2018 — Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. Elasticsearch Security, en versiones 6.5.0 y 6.5.1, contiene un error de XEE (XML Extern... • http://www.securityfocus.com/bid/106294 • CWE-611: Improper Restriction of XML External Entity Reference •