CVE-2021-31828

{"id": "CVE-2021-31828", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2021-05-06T19:15:07.630", "references": [{"url": "https://github.com/opendistro-for-elasticsearch/alerting/pull/353", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://opendistro.github.io/for-elasticsearch-docs/version-history/", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://rotem-bar.com/ssrf-in-open-distro-for-elasticsearch-cve-2021-31828", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope."}, {"lang": "es", "value": "Un problema de SSRF en Open Distro para Elasticsearch (ODFE) versiones anteriores a 1.13.1.0, permite a un usuario privilegiado existente enumerar los servicios de escucha o interactuar con los recursos configurados por medio de peticiones HTTP que exceden el alcance previsto del plugin Alerting"}], "lastModified": "2021-05-18T13:26:35.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:open_distro:*:*:*:*:*:elasticsearch:*:*", "vulnerable": true, "matchCriteriaId": "9284C1A8-7EB9-4B7B-8718-06BC09EED4C4", "versionEndExcluding": "1.13.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}