Cross-site scripting in Elasticsearch

CVE-2014-6439 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2022-05-14 02:51:14 UTC
Updated: 2023-02-01 05:04:27 UTC
GitHub reviewed: 2022-11-03 21:07:52 UTC
NVD published: 2014-10-10 01:55:00 UTC

EPSS Score

Score	Percentile
0.63%	70.21%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-8699-m855-cwqf ↗
CVE	CVE-2014-6439 ↗

CWEs

CWE id	Name
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.elasticsearch:elasticsearch	< 1.4.0.Beta1	1.4.0.Beta1	—

References

cvelogic Threat Intelligence