FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
026759e0-1ba3-11e5-b43d-002590263bf5elasticsearch -- remote OS command execution via Groovy scripting engine

Elastic reports:

Vulnerability Summary: Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.

Remediation Summary: Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.


Discovery 2015-02-11
Entry 2015-06-26
elasticsearch
ge 1.3.0 lt 1.3.8

ge 1.4.0 lt 1.4.3

CVE-2015-1427
72585
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released
http://www.securityfocus.com/archive/1/archive/1/534689/100/0/threaded
https://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html
https://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html
23232028-1ba4-11e5-b43d-002590263bf5elasticsearch -- security fix for shared file-system repositories

Elastic reports:

Vulnerability Summary: All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.

Remediation Summary: Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.


Discovery 2015-06-09
Entry 2015-06-26
elasticsearch
ge 1.0.0 lt 1.6.0

CVE-2015-4165
ports/201008
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-6-0-released
43ac9d42-1b9a-11e5-b43d-002590263bf5elasticsearch and logstash -- remote OS command execution via dynamic scripting

Elastic reports:

Vulnerability Summary: In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.

Remediation Summary: Disable dynamic scripting.

Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is vulnerable to CVE-2014-3120. These binaries are used in Elasticsearch output specifically when using the node protocol. Since a node client joins the Elasticsearch cluster, the attackers could use scripts to execute commands on the host OS using the node client's URL endpoint. With 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2 binaries which by default disables the ability to run scripts. This also affects users who are using the configuration option embedded=>true in the Elasticsearch output which starts a local embedded Elasticsearch cluster. This is typically used in development environment and proof of concept deployments. Regardless of this vulnerability, we strongly recommend not using embedded in production.

Note that users of transport and http protocol are not vulnerable to this attack.


Discovery 2014-05-22
Entry 2015-06-26
elasticsearch
< 1.2.0

logstash
< 1.4.3

CVE-2014-3120
67731
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-2-0-released
https://www.elastic.co/blog/logstash-1-4-3-released
https://www.exploit-db.com/exploits/33370/
http://bouk.co/blog/elasticsearch-rce/
http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
5951fb49-1ba2-11e5-b43d-002590263bf5elasticsearch -- cross site scripting vulnerability in the CORS functionality

Elastic reports:

Vulnerability Summary: Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.

Remediation Summary: Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.


Discovery 2014-10-01
Entry 2015-06-26
elasticsearch
< 1.4.0

CVE-2014-6439
70233
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-4-0-beta-released
https://packetstormsecurity.com/files/128556/Elasticsearch-1.3.x-CORS-Issue.html
http://www.securityfocus.com/archive/1/archive/1/533602/100/0/threaded
a71e7440-1ba3-11e5-b43d-002590263bf5elasticsearch -- directory traversal attack with site plugins

Elastic reports:

Vulnerability Summary: All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.

Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.


Discovery 2015-04-27
Entry 2015-06-26
elasticsearch
< 1.4.5

ge 1.5.0 lt 1.5.2

CVE-2015-3337
74353
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released
https://www.exploit-db.com/exploits/37054/
https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
http://www.securityfocus.com/archive/1/535385
ae8c09cb-32da-11e5-a4a5-002590263bf5elasticsearch -- directory traversal attack via snapshot API

Elastic reports:

Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.

Remediation Summary: Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.


Discovery 2015-07-16
Entry 2015-08-05
elasticsearch
ge 1.0.0 lt 1.6.1

CVE-2015-5531
ports/201834
https://www.elastic.co/community/security
fb3668df-32d7-11e5-a4a5-002590263bf5elasticsearch -- remote code execution via transport protocol

Elastic reports:

Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.

Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.


Discovery 2015-07-16
Entry 2015-08-05
elasticsearch
< 1.6.1

CVE-2015-5377
ports/201834
https://www.elastic.co/community/security