1955289 – (CVE-2021-22140) CVE-2021-22140 Elastic App Search: App Search XML External Entity Injection

Bug 1955289 (CVE-2021-22140) - CVE-2021-22140 Elastic App Search: App Search XML External Entity Injection

Summary: CVE-2021-22140 Elastic App Search: App Search XML External Entity Injection

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-22140
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1955290
TreeView+	depends on / blocked

Reported:	2021-04-29 19:39 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-08-31 23:59 UTC (History)
CC List:	61 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Elastic Enterprise Search. An attacker, using an XML External Entity Injection (XXE) issue in the App Search web crawler, could craft a malicious sitemap.xml allowing the crawler to traverse the filesystem of the host running the instance and obtain sensitive files. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:	2021-05-04 10:46:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-29 19:39:30 UTC

An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

Reference:
https://discuss.elastic.co/t/7-12-1-security-update/271433

Comment 2 Anten Skrabec 2021-05-01 01:59:16 UTC

servicemesh-grafana does not include elasticsearch nor the affected code, only connectors that talk to servicemesh.

Comment 3 Eric Christensen 2021-05-03 13:25:50 UTC

External References:

https://discuss.elastic.co/t/7-12-1-security-update/271433

Comment 4 Product Security DevOps Team 2021-05-04 10:46:43 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22140

Comment 5 Przemyslaw Roguski 2021-05-04 15:46:55 UTC

Statement:

This vulnerability only affects the 'App Search web crawler beta feature' for Elastic Enterprise Search, as noted in the Elastic.co advisory [1]. That feature is not available in the upstream elasticsearch open source namespace on Github [2].

[1] https://discuss.elastic.co/t/7-12-1-security-update/271433
[2] https://github.com/elastic

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
apevec
apevec
bdettelb
bibryam
bmontgom
chazlett
dbecker
dbruno
drieden
eparis
etirelli
ggaughan
gmalinko
gvarsami
hbraun
ibek
janstey
jburrell
jcantril
jcoleman
jjoyce
jochrist
jokerman
jschluet
jstastny
jwendell
jwon
kconner
krathod
kverlaen
ldimaggi
lhh
lpeer
mburns
mmagr
mnovotny
nstielau
nwallace
pantinor
piotr1212
pjindal
rcernich
rrajasek
rwagner
sclewis
sd-operator-metering
slinaber
sponnaga
steve.traylen
tcunning
tflannag
tkirby
tomckay
twalsh
tzimanyi