Elasticsearch information disclosure (ESA-2018-19)
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s find_file_structure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail.
Affected Versions
Elasticsearch Security versions 6.5.0 and 6.5.1
Solutions and Mitigations
Affected users should upgrade to Elasticsearch version 6.5.2.
CVE ID: CVE-2018-17247