Elasticsearch 1.3.x CORS Issue

2014.10.05
Credit: elasticsearch
Risk: Medium
Local: No
Remote: No
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Summary: Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user’s browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. We have been assigned CVE-2014-6439 for this issue. t http://www.osisecurity.com.au/ Fixed versions: Version 1.4.0 beta 1 and later change the default configuration. Remediation: Users should either set “http.cors.enabled” to false, or set “http.cors.allow-origin” to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases. CVSS Overall CVSS score: 5.3 More information: http://www.elasticsearch.org/blog/elasticsearch-1-4-0-beta-released/

References:

http://www.elasticsearch.org/blog/elasticsearch-1-4-0-beta-released/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top