CVE-2014-3120 is a vulnerability in Elasticsearch
Published on July 28, 2014
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Known Exploited Vulnerability
This Elasticsearch Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.
The following remediation steps are recommended / required by April 15, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2014-3120 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2014-3120
You can be notified by stack.watch whenever vulnerabilities like CVE-2014-3120 are published in these products:
What versions of Elasticsearch are vulnerable to CVE-2014-3120?
-
Elasticsearch
Fixed in Version 1.2