CVE-2015-1427 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=0 <1.3.8 || >=1.4.0 <1.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.93024 pctl0.9977

Details

Improper Access Control in Elasticsearch The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Metadata

Created: 2022-05-14T02:49:44Z
Modified: 2022-07-06T20:26:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w94p-6mhw-4qxw/GHSA-w94p-6mhw-4qxw.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-w94p-6mhw-4qxw
Finding: F039
Auto approve: 1