CVE-2014-3120 — Elasticsearch Improper Access Control vulnerability

Description

The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

How to fix CVE-2014-3120

To remediate CVE-2014-3120, upgrade the affected package to a fixed version below.

—upgrade to 1.4.0.Beta1 or later

Is CVE-2014-3120 being exploited?

Yes — CVE-2014-3120 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

from 0, < 1.4.0.Beta1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:H

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3120
PATCHgithub.com/elastic/elasticsearch
WEBbouk.co/blog/elasticsearch-rce
WEBgithub.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06