CVE-2015-4152

Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option.

CVSS v2.0 6.4 MEDIUM

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.elastic.co/blog/logstash-1-4-3-released	Vendor Advisory
https://www.elastic.co/community/security/	Vendor Advisory
http://packetstormsecurity.com/files/132233/Logstash-1.4.2-Directory-Traversal.html
http://www.securityfocus.com/archive/1/535725/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*

Information

Published : 2015-06-15 08:59

Updated : 2019-06-17 08:48

NVD link : CVE-2015-4152

Mitre link : CVE-2015-4152

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

elastic

logstash

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.elastic.co/blog/logstash-1-4-3-released", "name": "https://www.elastic.co/blog/logstash-1-4-3-released", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://www.elastic.co/community/security/", "name": "https://www.elastic.co/community/security/", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://packetstormsecurity.com/files/132233/Logstash-1.4.2-Directory-Traversal.html", "name": "http://packetstormsecurity.com/files/132233/Logstash-1.4.2-Directory-Traversal.html", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/archive/1/535725/100/0/threaded", "name": "20150609 Logstash vulnerability CVE-2015-4152", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-4152", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-06-15T15:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.4.2"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-06-17T15:48Z"}

6.4 /10