CVE-2018-17247 is a vulnerability in Elasticsearch
Published on December 20, 2018
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2018-17247 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2018-17247
Want to know whenever a new CVE is published for Elasticsearch? stack.watch will email you.
Affected Versions
Elasticsearch Version 6.5.0 and 6.5.1 is affected by CVE-2018-17247Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.