CVE-2014-4326
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
Elasticsearch Logstash allows remote attackers to execute arbitrary commands
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://www.elastic.co/community/security/
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| elastic | logstash | 1.0.14 | |
| elastic | logstash | 1.0.15 | |
| elastic | logstash | 1.0.16 | |
| elastic | logstash | 1.0.17 | |
| elastic | logstash | 1.1.0 | |
| elastic | logstash | 1.1.0.1 | |
| elastic | logstash | 1.1.1 | |
| elastic | logstash | 1.1.2 | |
| elastic | logstash | 1.1.3 | |
| elastic | logstash | 1.1.4 | |
| elastic | logstash | 1.1.5 | |
| elastic | logstash | 1.1.6 | |
| elastic | logstash | 1.1.7 | |
| elastic | logstash | 1.1.8 | |
| elastic | logstash | 1.1.9 | |
| elastic | logstash | 1.1.10 | |
| elastic | logstash | 1.1.11 | |
| elastic | logstash | 1.1.12 | |
| elastic | logstash | 1.1.13 | |
| elastic | logstash | 1.2.1 | |
| elastic | logstash | 1.2.2 | |
| elastic | logstash | 1.3.0 | |
| elastic | logstash | 1.3.1 | |
| elastic | logstash | 1.3.2 | |
| elastic | logstash | 1.3.3 | |
| elastic | logstash | 1.4.0 | |
| elastic | logstash | 1.4.1 | |
References
- https://www.elastic.co/community/security
- http://www.elasticsearch.org/blog/logstash-1-4-2/
- http://www.securityfocus.com/archive/1/532841/100/0/threaded
- https://www.elastic.co/community/security/
- https://nvd.nist.gov/vuln/detail/CVE-2014-4326
- https://github.com/elastic/logstash
- https://web.archive.org/web/20140804031140/http://www.elasticsearch.org/blog/logstash-1-4-2
- https://web.archive.org/web/20201207013408/http://www.securityfocus.com/archive/1/532841/100/0/threaded
CWEs
CWE-78
Verify integrity in audit chain (admin only). AS-IS.