CVE-2014-3120
HIGH8.1⚠ KEVEPSS 84.2%Elasticsearch Improper Access Control vulnerability
Published: 5/17/2022Modified: 10/22/2025Added to CISA KEV: 3/25/2022
Description
The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Affected packages (1)
- Maven/org.elasticsearch:elasticsearchfrom 0, < 1.4.0.Beta1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:H |
References (14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3120
- PATCHhttps://github.com/elastic/elasticsearch
- WEBhttp://bouk.co/blog/elasticsearch-rce
- WEBhttps://github.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06
- WEBhttps://github.com/elastic/elasticsearch/commit/f9de8b65898509e038e33215db0720b508477a12
- WEBhttps://github.com/elastic/elasticsearch/issues/7151
- WEBhttps://github.com/elastic/elasticsearch/pull/7642
- WEBhttps://web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-3120
- WEBhttps://www.elastic.co/blog/logstash-1-4-3-released
- WEBhttps://www.elastic.co/community/security
- WEBhttps://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
- WEBhttp://www.exploit-db.com/exploits/33370
- WEBhttp://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce