Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elasticsearch-5.6.4.jar: 16 vulnerabilities (highest severity is: 9.8) reachable #15

Open
staging-whitesource-for-github-com bot opened this issue Apr 5, 2024 · 0 comments
Open

elasticsearch-5.6.4.jar: 16 vulnerabilities (highest severity is: 9.8) reachable #15

staging-whitesource-for-github-com bot opened this issue Apr 5, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@staging-whitesource-for-github-com
Copy link

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (elasticsearch version) Remediation Possible** Reachability
CVE-2020-28491 High 7.5 jackson-dataformat-cbor-2.8.6.jar Transitive 7.17.9

Reachable
CVE-2022-38752 Medium 6.5 snakeyaml-1.15.jar Transitive 6.1.0

Reachable
CVE-2017-12629 Critical 9.8 lucene-queryparser-6.6.1.jar Transitive 6.0.0

Unreachable
CVE-2018-3831 High 8.8 elasticsearch-5.6.4.jar Direct 5.6.12

Unreachable
CVE-2019-7611 High 8.1 elasticsearch-5.6.4.jar Direct 5.6.15

Unreachable
CVE-2022-25857 High 7.5 snakeyaml-1.15.jar Transitive N/A*

Unreachable
CVE-2017-18640 High 7.5 snakeyaml-1.15.jar Transitive 7.7.0

Unreachable
CVE-2022-41854 Medium 6.5 snakeyaml-1.15.jar Transitive N/A*

Unreachable
CVE-2022-38751 Medium 6.5 snakeyaml-1.15.jar Transitive N/A*

Unreachable
CVE-2022-38749 Medium 6.5 snakeyaml-1.15.jar Transitive N/A*

Unreachable
CVE-2019-7614 Medium 5.9 elasticsearch-5.6.4.jar Direct 6.8.2

Unreachable
CVE-2022-38750 Medium 5.5 snakeyaml-1.15.jar Transitive 6.1.0

Unreachable
CVE-2018-3823 Medium 5.4 elasticsearch-5.6.4.jar Direct 5.6.9

Unreachable
CVE-2020-7021 Medium 4.9 elasticsearch-5.6.4.jar Direct 6.8.14

Unreachable
CVE-2018-3824 Low 3.7 elasticsearch-5.6.4.jar Direct 5.6.9

Unreachable
CVE-2020-7020 Low 3.1 elasticsearch-5.6.4.jar Direct 6.8.13

Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-28491

Vulnerable Library - jackson-dataformat-cbor-2.8.6.jar

Support for reading and writing Concise Binary Object Representation ([CBOR](https://www.rfc-editor.org/info/rfc7049) encoded data using Jackson abstractions (streaming API, data binding, tree model)

Library home page: http://github.com/FasterXML/jackson-dataformats-binary

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.8.6/jackson-dataformat-cbor-2.8.6.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • jackson-dataformat-cbor-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.controller.ElasticSearchController (Application)
  -> org.elasticsearch.common.xcontent.XContentFactory (Extension)
   -> org.elasticsearch.common.xcontent.cbor.CborXContent (Extension)
    -> ❌ com.fasterxml.jackson.dataformat.cbor.CBORParser (Vulnerable Component)

Vulnerability Details

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Publish Date: 2021-02-18

URL: CVE-2020-28491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491

Release Date: 2021-02-18

Fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-cbor): 2.11.4

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.17.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38752

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

This vulnerability is potentially reachable

com.visualpathit.account.controller.ElasticSearchController (Application)
  -> org.elasticsearch.common.xcontent.XContentFactory (Extension)
   -> org.elasticsearch.common.xcontent.yaml.YamlXContent (Extension)
    -> com.fasterxml.jackson.dataformat.yaml.YAMLParser (Extension)
     -> ❌ org.yaml.snakeyaml.parser.ParserImpl (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.16

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 6.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-12629

Vulnerable Library - lucene-queryparser-6.6.1.jar

Lucene QueryParsers module

Library home page: http://lucene.apache.org/lucene-parent/lucene-queryparser

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/lucene/lucene-queryparser/6.6.1/lucene-queryparser-6.6.1.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • lucene-queryparser-6.6.1.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Publish Date: 2017-10-14

URL: CVE-2017-12629

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629

Release Date: 2017-10-14

Fix Resolution (org.apache.lucene:lucene-queryparser): 6.6.2

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 6.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3831

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

Publish Date: 2018-09-19

URL: CVE-2018-3831

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Release Date: 2018-09-19

Fix Resolution: 5.6.12

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-7611

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

Publish Date: 2019-03-25

URL: CVE-2019-7611

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fj32-6v7m-57pg

Release Date: 2019-03-25

Fix Resolution: 5.6.15

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25857

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2017-18640

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 7.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-41854

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38751

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38749

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2019-7614

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.

Publish Date: 2019-07-30

URL: CVE-2019-7614

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7614

Release Date: 2019-07-30

Fix Resolution: 6.8.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38750

Vulnerable Library - snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.15/snakeyaml-1.15.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Root Library)
    • snakeyaml-1.15.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.16

Direct dependency fix Resolution (org.elasticsearch:elasticsearch): 6.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3823

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.

Publish Date: 2018-09-19

URL: CVE-2018-3823

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Release Date: 2018-09-19

Fix Resolution: 5.6.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7021

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

Publish Date: 2021-02-10

URL: CVE-2020-7021

CVSS 3 Score Details (4.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915

Release Date: 2021-02-10

Fix Resolution: 6.8.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3824

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

Publish Date: 2018-09-19

URL: CVE-2018-3824

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3824

Release Date: 2018-09-19

Fix Resolution: 5.6.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7020

Vulnerable Library - elasticsearch-5.6.4.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/5.6.4/elasticsearch-5.6.4.jar

Dependency Hierarchy:

  • elasticsearch-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: bc3b107475518ec471b989db95049bfd59f2f30c

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Publish Date: 2020-10-22

URL: CVE-2020-7020

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033

Release Date: 2020-10-22

Fix Resolution: 6.8.13

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants