XXE in Elastic App Search

CVE-2021-22140

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could c…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.004 (59.5th percentile) — read the EPSS interpretation.

Affected products

Elastic App Search — versions after 7.11.0 and before 7.12.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

discuss.elastic.co/t/7-12-1-security-update/271433 (x_refsource_MISC)