HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2021-22140

CVSS 7.5v3.1pub. 2021-05-13upd. 2024-11-21

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Elastic App Search

    APP
    Elastic
    7.11.0 – 7.12.0 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XXE
CWE
References

Related vulnerabilities

CVE-2020-7011MEDIUM6.1ten sam produkt

Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document UR...

CVE-2019-7609CRITICAL10.0⚠ KEVten sam vendor

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2015-1427CRITICAL9.8⚠ KEVten sam vendor

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2025-37729CRITICAL9.1PL ✓ten sam vendor

Elastic Cloud Enterprise — Server-Side Template Injection (SSTI) w silniku Jinjava

CVE-2025-25014CRITICAL9.1PL ✓ten sam vendor

Prototype Pollution w Kibana prowadzące do RCE przez HTTP