Vulnerability Details : CVE-2021-22140
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2021-22140
- cpe:2.3:a:elastic:elastic_app_search:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22140
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22140
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-22140
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by:
- bressers@elastic.co (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2021-22140
-
https://discuss.elastic.co/t/7-12-1-security-update/271433
7.12.1 Security Update - Announcements / Security Announcements - Discuss the Elastic StackVendor Advisory
Jump to