CVE-2014-3120 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=0 <1.4.0.beta1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.79814 pctl0.99065

Details

Elasticsearch Improper Access Control vulnerability The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Metadata

Created: 2022-05-17T03:28:58Z
Modified: 2025-01-06T22:28:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mrfm-jxgf-2h6v/GHSA-mrfm-jxgf-2h6v.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-mrfm-jxgf-2h6v
Finding: F039
Auto approve: 1