Elasticsearch directory traversal vulnerability CVE-2015-5531

(Kevin Kluge) #1

Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process.

We have been assigned CVE-2015-5531 for this issue.

Fixed versions
Versions 1.6.1 and 1.7.0 address the vulnerability.

Users should upgrade to the 1.6.1 or 1.7.0 releases. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent snapshot API calls from untrusted sources.

Overall CVSS score: 2.6

Benjamin Smith reported the issue.

(system) #2