An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files. Reference: https://discuss.elastic.co/t/7-12-1-security-update/271433
servicemesh-grafana does not include elasticsearch nor the affected code, only connectors that talk to servicemesh.
External References: https://discuss.elastic.co/t/7-12-1-security-update/271433
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22140
Statement: This vulnerability only affects the 'App Search web crawler beta feature' for Elastic Enterprise Search, as noted in the Elastic.co advisory [1]. That feature is not available in the upstream elasticsearch open source namespace on Github [2]. [1] https://discuss.elastic.co/t/7-12-1-security-update/271433 [2] https://github.com/elastic