CVE-2021-22140 - log back

CVE-2021-22140 edited at 27 Apr 2021 19:41:12
Severity
- Unknown
+ Critical
Remote
- Unknown
+ Remote
Type
- Unknown
+ Xml external entity injection
Description
+ An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
References
+ https://discuss.elastic.co/t/7-12-1-security-update/271433
+ https://www.elastic.co/blog/introducing-elastic-app-search-web-crawler
Notes
+ This feature is only present in Elastic Enterprise Search, starting from version 7.11.
CVE-2021-22140 created at 27 Apr 2021 19:39:29