CVE-2014-3120
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.
CISA KEV
- Vendor
- Elastic
- Product
- Elasticsearch
- Due date
- 2022-04-15
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2014-3120
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.elasticsearch:elasticsearch | <1.4.0.Beta1 | 1.4.0.Beta1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2014-3120
- https://github.com/elastic/elasticsearch/issues/7151
- https://github.com/elastic/elasticsearch/pull/7642
- https://github.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06
- https://github.com/elastic/elasticsearch/commit/f9de8b65898509e038e33215db0720b508477a12
- https://github.com/elastic/elasticsearch
- https://web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-3120
- https://www.elastic.co/blog/logstash-1-4-3-released
- https://www.elastic.co/community/security
- https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
- http://bouk.co/blog/elasticsearch-rce
- http://www.exploit-db.com/exploits/33370
- http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
Verify integrity in audit chain (admin only). AS-IS.