CVE-2015-3337 — elasticsearch - security update

Description

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

How to fix CVE-2015-3337

To remediate CVE-2015-3337, upgrade the affected package to a fixed version below.

Debian/elasticsearch—upgrade to 1.0.3+dfsg-5+deb8u1 or later
Maven/org.elasticsearch:elasticsearch—upgrade to 1.4.5 or later

Is CVE-2015-3337 being exploited?

Likely — EPSS is 91.8%, placing CVE-2015-3337 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 1.0.3+dfsg-5+deb8u1
from 0, < 1.4.5

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3337
WEBpacketstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
WEBwww.elastic.co/community/security
WEBwww.exploit-db.com/exploits/37054
WEB