AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2018-17247: Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a

mediumvulnerability

security

Source: NVD/CVE DatabaseDecember 20, 2018CVE-2018-17247

Summary

Elasticsearch Security versions 6.5.0 and 6.5.1 have an XXE flaw (XML external entity injection, where an attacker exploits how the software processes XML data) in the Machine Learning find_file_structure API. If Elasticsearch's Java Security Manager allows external network access, an attacker could send a crafted request to leak local files from the server, potentially exposing sensitive information.

Vulnerability Details

CVSS Score

4.3

EPSS (30-day exploit probability)

EPSS: 0.3%

Classification

Attack Type

Data Extraction

Attack SophisticationModerate

Impact (CIA+S)

confidentiality

AI Component TargetedInference

Taxonomy References

CWE (Weakness Type)

CWE-611 CWE-611

Affected Vendors

Related Issues

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attackNVD/CVE Database

high

CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint

First tracked: February 15, 2026 at 08:53 PM

Classified by LLM (prompt v3) · confidence: 72%