Headline
CVE-2022-38299: fix: Adding checks to prevent disallowed hosts from connecting via Elasticsearch plugin by mohanarpit · Pull Request #15834 · appsmithorg/appsmith
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.
Conversation
mohanarpit deleted the chore/fix-elasticsearch-metadata branch
Aug 8, 2022
sharat87 added a commit that referenced this issue
Aug 8, 2022
…asticsearch plugin (#15834)
Description
This PR fixes an issue where a potentially malicious user can connect to disallowed hosts from the Elasticsearch plugin within Appsmith. This is because Elasticsearch client SDK is a HTTP interface underneath the hood.
Type of change
- Bug fix (non-breaking change which fixes an issue)
How Has This Been Tested?
- Junits for the following:
- create datasource with disallowed host
- validate datasource with disallowed host
- test datasource with disallowed host
Checklist:
- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my feature works
- [x] New and existing unit tests pass locally with my changes
(cherry picked from commit c1dbca6) Signed-off-by: Shrikant Sharat Kandula [email protected]