The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
History

Tue, 13 Aug 2024 23:30:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-07-28T19:00:00

Updated: 2024-08-06T10:35:56.466Z

Reserved: 2014-04-29T00:00:00

Link: CVE-2014-3120

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2014-07-28T19:55:04.490

Modified: 2016-12-06T18:13:40.637

Link: CVE-2014-3120

cve-icon Redhat

Severity : Important

Publid Date: 2013-12-09T00:00:00Z

Links: CVE-2014-3120 - Bugzilla