ElasticSearch Information Disclosure

What is the "ElasticSearch Information Disclosure?"

The "ElasticSearch Information Disclosure" module is designed to detect potential information disclosure vulnerabilities in ElasticSearch, a popular search and analytics engine. This module focuses on identifying misconfigurations that could lead to sensitive data being exposed. The severity of this vulnerability is classified as low.

Original author(s): Shine, c-sh0, geeknik

Impact

If the ElasticSearch Information Disclosure vulnerability is present, it could allow unauthorized access to sensitive information stored in the ElasticSearch database. This could potentially lead to the exposure of confidential data, such as user credentials, personal information, or proprietary business data.

How the module works?

The module works by sending specific HTTP requests to the target ElasticSearch instance and analyzing the responses for indicators of information disclosure. It checks for the presence of certain keywords in the response body, headers, and the HTTP status code to determine if the vulnerability exists.

Example HTTP request:

GET /?pretty

The module uses the following matching conditions:

- Check if the response contains any of the following keywords: "took":, "number" :, "number_of_nodes" - Check if the response headers indicate one of the following content types: application/json, application/vnd.api+json, text/plain - Check if the HTTP status code is 200

If all the matching conditions are met, the module reports the vulnerability, indicating a potential information disclosure issue in the ElasticSearch instance.