Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

elasticsearch-5.6.4.jar: 18 vulnerabilities (highest severity is: 9.8) reachable #16

Open
mend-for-github-com bot opened this issue Apr 17, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Apr 17, 2023

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (elasticsearch version) Remediation Possible** Reachability
CVE-2018-3831 High 8.8 elasticsearch-5.6.4.jar Direct 5.6.12

Reachable

CVE-2019-7611 High 8.1 elasticsearch-5.6.4.jar Direct 5.6.15

Reachable

CVE-2023-31418 High 7.5 elasticsearch-5.6.4.jar Direct 7.17.13

Reachable

CVE-2020-28491 High 7.5 jackson-dataformat-cbor-2.8.6.jar Transitive 7.17.9

Reachable

CVE-2022-38752 Medium 6.5 snakeyaml-1.15.jar Transitive 7.17.9

Reachable

CVE-2018-3824 Medium 6.1 elasticsearch-5.6.4.jar Direct 5.6.9

Reachable

CVE-2019-7614 Medium 5.9 elasticsearch-5.6.4.jar Direct 6.8.2

Reachable

CVE-2018-3823 Medium 5.4 elasticsearch-5.6.4.jar Direct 5.6.9

Reachable

CVE-2020-7021 Medium 4.9 elasticsearch-5.6.4.jar Direct 6.8.14

Reachable

CVE-2020-7020 Low 3.1 elasticsearch-5.6.4.jar Direct 6.8.13

Reachable

CVE-2017-12629 Critical 9.8 lucene-queryparser-6.6.1.jar Transitive 6.0.0

Unreachable

CVE-2022-1471 High 8.3 snakeyaml-1.15.jar Transitive 8.2.0

Unreachable

CVE-2022-25857 High 7.5 snakeyaml-1.15.jar Transitive 7.17.9

Unreachable

CVE-2017-18640 High 7.5 snakeyaml-1.15.jar Transitive 7.7.0

Unreachable

CVE-2022-38751 Medium 6.5 snakeyaml-1.15.jar Transitive 7.17.9

Unreachable

CVE-2022-38750 Medium 6.5 snakeyaml-1.15.jar Transitive 7.17.9

Unreachable

CVE-2022-38749 Medium 6.5 snakeyaml-1.15.jar Transitive 7.17.9

Unreachable

CVE-2022-41854 Medium 5.8 snakeyaml-1.15.jar Transitive 7.17.9

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-3831

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.search.SearchModule (Extension)
    -> org.elasticsearch.index.query.functionscore.ScriptScoreFunctionBuilder (Extension)
     -> org.elasticsearch.common.lucene.search.function.ScriptScoreFunction (Extension)
      -> ❌ org.elasticsearch.common.lucene.search.function.ScriptScoreFunction$CannedScorer (Vulnerable Component)

Vulnerability Details

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

Publish Date: 2018-09-19

URL: CVE-2018-3831

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Release Date: 2018-09-19

Fix Resolution: 5.6.12

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-7611

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.action.ActionModule (Extension)
    -> org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction (Extension)
     -> ❌ org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction$1 (Vulnerable Component)

Vulnerability Details

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

Publish Date: 2019-03-25

URL: CVE-2019-7611

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fj32-6v7m-57pg

Release Date: 2019-03-25

Fix Resolution: 5.6.15

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-31418

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.cluster.ClusterModule (Extension)
    -> org.elasticsearch.cluster.routing.allocation.allocator.BalancedShardsAllocator (Extension)
     -> ❌ org.elasticsearch.cluster.routing.allocation.allocator.BalancedShardsAllocator$WeightFunction (Vulnerable Component)

Vulnerability Details

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.

Publish Date: 2023-10-26

URL: CVE-2023-31418

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2cqf-6xv9-f22w

Release Date: 2023-10-26

Fix Resolution: 7.17.13

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28491

Vulnerable Library - jackson-dataformat-cbor-2.8.6.jar

Support for reading and writing Concise Binary Object Representation ([CBOR](https://www.rfc-editor.org/info/rfc7049) encoded data using Jackson abstractions (streaming API, data binding, tree model)

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.8.6/jackson-dataformat-cbor-2.8.6.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • jackson-dataformat-cbor-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.controller.ElasticSearchController (Application)
  -> org.elasticsearch.common.xcontent.XContentFactory (Extension)
   -> org.elasticsearch.common.xcontent.cbor.CborXContent (Extension)
    -> ❌ com.fasterxml.jackson.dataformat.cbor.CBORParser (Vulnerable Component)

Vulnerability Details

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Publish Date: 2021-02-18

URL: CVE-2020-28491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491

Release Date: 2021-02-18

Fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-cbor): 2.11.4

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38752

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.controller.ElasticSearchController (Application)
  -> org.elasticsearch.common.xcontent.XContentFactory (Extension)
   -> org.elasticsearch.common.xcontent.yaml.YamlXContent (Extension)
    -> com.fasterxml.jackson.dataformat.yaml.YAMLParser (Extension)
     -> ❌ org.yaml.snakeyaml.parser.ParserImpl (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3824

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.action.ActionModule (Extension)
    -> org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction (Extension)
     -> ❌ org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction$1 (Vulnerable Component)

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

Publish Date: 2018-09-19

URL: CVE-2018-3824

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3824

Release Date: 2018-09-19

Fix Resolution: 5.6.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-7614

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.cluster.ClusterModule (Extension)
    -> org.elasticsearch.cluster.routing.allocation.allocator.BalancedShardsAllocator (Extension)
     -> ❌ org.elasticsearch.cluster.routing.allocation.allocator.BalancedShardsAllocator$WeightFunction (Vulnerable Component)

Vulnerability Details

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.

Publish Date: 2019-07-30

URL: CVE-2019-7614

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7614

Release Date: 2019-07-30

Fix Resolution: 6.8.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3823

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.action.ActionModule (Extension)
    -> org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction (Extension)
     -> ❌ org.elasticsearch.rest.action.admin.indices.RestSyncedFlushAction$1 (Vulnerable Component)

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.

Publish Date: 2018-09-19

URL: CVE-2018-3823

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Release Date: 2018-09-19

Fix Resolution: 5.6.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7021

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.utils.ElasticsearchUtil (Application)
  -> org.elasticsearch.client.transport.TransportClient (Extension)
   -> org.elasticsearch.action.ActionModule (Extension)
    -> org.elasticsearch.common.inject.multibindings.Multibinder (Extension)
    ...
      -> org.elasticsearch.common.inject.Binding (Extension)
       -> org.elasticsearch.common.inject.spi.BindingTargetVisitor (Extension)
        -> ❌ org.elasticsearch.common.inject.spi.ConstructorBinding (Vulnerable Component)

Vulnerability Details

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

Publish Date: 2021-02-10

URL: CVE-2020-7021

CVSS 3 Score Details (4.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915

Release Date: 2021-02-10

Fix Resolution: 6.8.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7020

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.controller.ElasticSearchController (Application)
  -> org.elasticsearch.action.get.GetResponse (Extension)
   -> org.elasticsearch.index.get.GetField (Extension)
    -> org.elasticsearch.index.mapper.NumberFieldMapper$NumberFieldType (Extension)
    ...
      -> org.elasticsearch.common.joda.Joda (Extension)
       -> org.joda.time.format.StrictISODateTimeFormat (Extension)
        -> ❌ org.joda.time.format.StrictISODateTimeFormat$Constants (Vulnerable Component)

Vulnerability Details

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Publish Date: 2020-10-22

URL: CVE-2020-7020

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033

Release Date: 2020-10-22

Fix Resolution: 6.8.13

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-12629

Vulnerable Library - lucene-queryparser-6.6.1.jar

Lucene QueryParsers module

Library home page: http://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/lucene/lucene-queryparser/6.6.1/lucene-queryparser-6.6.1.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • lucene-queryparser-6.6.1.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Publish Date: 2017-10-14

URL: CVE-2017-12629

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mh7g-99w9-xpjm

Release Date: 2017-10-14

Fix Resolution (org.apache.lucene:lucene-queryparser): 6.6.2

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 6.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-1471

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (8.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 8.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25857

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-18640

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38751

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38750

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38749

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-41854

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: 643a7fad08d6608eaf25b22f87aee4b43387f2fc

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (5.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Apr 17, 2023
@mend-for-github-com mend-for-github-com bot changed the title elasticsearch-5.6.4.jar: 17 vulnerabilities (highest severity is: 9.8) elasticsearch-5.6.4.jar: 17 vulnerabilities (highest severity is: 9.8) reachable Jul 2, 2023
@mend-for-github-com mend-for-github-com bot changed the title elasticsearch-5.6.4.jar: 17 vulnerabilities (highest severity is: 9.8) reachable elasticsearch-5.6.4.jar: 18 vulnerabilities (highest severity is: 9.8) reachable Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants