Vulnerable Libraries - elasticsearch-6.3.2.jar, elasticsearch-6.4.3.jar, elasticsearch-5.3.0.jar, elasticsearch-5.0.0.jar, elasticsearch-2.4.6.jar, elasticsearch-6.4.0.jar, elasticsearch-2.2.0.jar, elasticsearch-5.5.0.jar, elasticsearch-2.0.0.jar, elasticsearch-6.0.0.jar
elasticsearch-6.3.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.3.2/1b4b423e654d5ec6eef747ee29baf2bf1def1c7b/elasticsearch-6.3.2.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.3.2.jar (Vulnerable Library)
elasticsearch-6.4.3.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.3/2fea9b67907d868a07c94d92f7c31b260b1095e6/elasticsearch-6.4.3.jar
Dependency Hierarchy:
- transport-6.4.3.jar (Root Library)
- ❌ elasticsearch-6.4.3.jar (Vulnerable Library)
elasticsearch-5.3.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.3.0/f42e60773fa004188020327fcfbd5b946f9834c6/elasticsearch-5.3.0.jar
Dependency Hierarchy:
- transport-5.3.0.jar (Root Library)
- ❌ elasticsearch-5.3.0.jar (Vulnerable Library)
elasticsearch-5.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-5.0.0.jar (Vulnerable Library)
elasticsearch-2.4.6.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.4.6/d2954e1173a608a9711f132d1768a676a8b1fb81/elasticsearch-2.4.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.4.6/d2954e1173a608a9711f132d1768a676a8b1fb81/elasticsearch-2.4.6.jar
Dependency Hierarchy:
- ❌ elasticsearch-2.4.6.jar (Vulnerable Library)
elasticsearch-6.4.0.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-6.4/rest-6.4.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.0/e14f124c6b7cfc93aa5e5c7f616df4f06c0f7c99/elasticsearch-6.4.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.4.0.jar (Vulnerable Library)
elasticsearch-2.2.0.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.2.0/9b4096cb3b175d0d3a643b70fe95b6a1c8e48553/elasticsearch-2.2.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.2.0/9b4096cb3b175d0d3a643b70fe95b6a1c8e48553/elasticsearch-2.2.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-2.2.0.jar (Vulnerable Library)
elasticsearch-5.5.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.5.0/53060a2e2373158645f0c42c51996af4914eedd7/elasticsearch-5.5.0.jar
Dependency Hierarchy:
- spring-data-elasticsearch-3.0.0.RELEASE.jar (Root Library)
- ❌ elasticsearch-5.5.0.jar (Vulnerable Library)
elasticsearch-2.0.0.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.0.0/a1189b6b207fda733044b4f0d766ff04103d0b81/elasticsearch-2.0.0.jar,/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.0.0/a1189b6b207fda733044b4f0d766ff04103d0b81/elasticsearch-2.0.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-2.0.0.jar (Vulnerable Library)
elasticsearch-6.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.0.0/5b88a93549c5082c3c500feab846d0f71da50a58/elasticsearch-6.0.0.jar
Dependency Hierarchy:
- transport-6.0.0.jar (Root Library)
- ❌ elasticsearch-6.0.0.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Suggested Fix
Type: Upgrade version
Origin: GHSA-fj32-6v7m-57pg
Release Date: 2019-03-25
Fix Resolution (org.elasticsearch:elasticsearch): 6.6.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.6.1
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.15
Direct dependency fix Resolution (org.elasticsearch.client:transport): 5.6.15
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.15
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 3.1.0.RELEASE
Fix Resolution (org.elasticsearch:elasticsearch): 6.6.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.6.1
CVE-2019-7611 - High Severity Vulnerability
elasticsearch-6.3.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.3.2/1b4b423e654d5ec6eef747ee29baf2bf1def1c7b/elasticsearch-6.3.2.jar
Dependency Hierarchy:
elasticsearch-6.4.3.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.3/2fea9b67907d868a07c94d92f7c31b260b1095e6/elasticsearch-6.4.3.jar
Dependency Hierarchy:
elasticsearch-5.3.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.3.0/f42e60773fa004188020327fcfbd5b946f9834c6/elasticsearch-5.3.0.jar
Dependency Hierarchy:
elasticsearch-5.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar
Dependency Hierarchy:
elasticsearch-2.4.6.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.4.6/d2954e1173a608a9711f132d1768a676a8b1fb81/elasticsearch-2.4.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.4.6/d2954e1173a608a9711f132d1768a676a8b1fb81/elasticsearch-2.4.6.jar
Dependency Hierarchy:
elasticsearch-6.4.0.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-6.4/rest-6.4.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.0/e14f124c6b7cfc93aa5e5c7f616df4f06c0f7c99/elasticsearch-6.4.0.jar
Dependency Hierarchy:
elasticsearch-2.2.0.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.2.0/9b4096cb3b175d0d3a643b70fe95b6a1c8e48553/elasticsearch-2.2.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.2.0/9b4096cb3b175d0d3a643b70fe95b6a1c8e48553/elasticsearch-2.2.0.jar
Dependency Hierarchy:
elasticsearch-5.5.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.5.0/53060a2e2373158645f0c42c51996af4914eedd7/elasticsearch-5.5.0.jar
Dependency Hierarchy:
elasticsearch-2.0.0.jar
Elasticsearch - Open Source, Distributed, RESTful Search Engine
Library home page: http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.0.0/a1189b6b207fda733044b4f0d766ff04103d0b81/elasticsearch-2.0.0.jar,/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/2.0.0/a1189b6b207fda733044b4f0d766ff04103d0b81/elasticsearch-2.0.0.jar
Dependency Hierarchy:
elasticsearch-6.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.0.0/5b88a93549c5082c3c500feab846d0f71da50a58/elasticsearch-6.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Publish Date: 2019-03-25
URL: CVE-2019-7611
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-fj32-6v7m-57pg
Release Date: 2019-03-25
Fix Resolution (org.elasticsearch:elasticsearch): 6.6.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.6.1
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.15
Direct dependency fix Resolution (org.elasticsearch.client:transport): 5.6.15
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.15
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 3.1.0.RELEASE
Fix Resolution (org.elasticsearch:elasticsearch): 6.6.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.6.1
⛑️ Automatic Remediation is available for this issue