HIGH✓ PATCH🇬🇧 English

CVE-2021-22140

CVSS 7.5v3.1pub. 2021-05-13upd. 2024-11-21

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Elastic App Search

    APP
    Elastic
    7.11.0 – 7.12.0 (bez)
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
XXE
CWE
Referencje

Powiązane podatności

CVE-2020-7011MEDIUM6.1ten sam produkt

Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document UR...

CVE-2019-7609CRITICAL10.0⚠ KEVten sam vendor

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2015-1427CRITICAL9.8⚠ KEVten sam vendor

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2025-37729CRITICAL9.1PL ✓ten sam vendor

Elastic Cloud Enterprise — Server-Side Template Injection (SSTI) w silniku Jinjava

CVE-2025-25014CRITICAL9.1PL ✓ten sam vendor

Prototype Pollution w Kibana prowadzące do RCE przez HTTP