The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Metrics
Affected Vendors & Products
References
History
Tue, 13 Aug 2024 23:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2014-07-28T19:00:00
Updated: 2024-08-06T10:35:56.466Z
Reserved: 2014-04-29T00:00:00
Link: CVE-2014-3120
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2014-07-28T19:55:04.490
Modified: 2016-12-06T18:13:40.637
Link: CVE-2014-3120
Redhat