Bug#763958: CVE-2014-6439: elasticsearch: default configuration for CORS allows an attacker to craft links
Henri Salo
henri at nerv.fi
Sat Oct 4 09:10:55 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: elasticsearch
Version: 1.0.3+dfsg-3
Severity: important
Tags: security, fixed-upstream
http://www.elasticsearch.org/community/security/
http://seclists.org/bugtraq/2014/Oct/18
Summary:
Elasticsearch versions 1.3.x and prior have a default configuration for CORS
that allows an attacker to craft links that could cause a user’s browser to send
requests to Elasticsearch instances on their local network. These requests could
cause data loss or compromise.
Remediation:
Users should either set “http.cors.enabled” to false, or set
“http.cors.allow-origin” to the value of the server that should be allowed
access, such as localhost or a server hosting Kibana. Disabling CORS entirely
with the former setting is more secure, but may not be suitable for all use
cases.
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlQvuZ8ACgkQXf6hBi6kbk/0yACdGl3VoguQ/1/MmTuZX+dwTuG7
49MAoIqSq7gA7GcYb4JHc3rF1HkocB8r
=rdFL
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list