elasticsearch elasticsearch CVE-2014-3120 is a vulnerability in Elasticsearch
Published on July 28, 2014

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Elasticsearch Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.

The following remediation steps are recommended / required by April 15, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2014-3120 has been classified to as an Authorization vulnerability or weakness.


Products Associated with CVE-2014-3120

You can be notified by stack.watch whenever vulnerabilities like CVE-2014-3120 are published in these products:

 

What versions of Elasticsearch are vulnerable to CVE-2014-3120?