CVE-2014-3120 : The default configuration in Elasticsearch before 1.2 enables dynamic scripting,

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Published 2014-07-28 19:55:04

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2014-3120

Elasticsearch » Elasticsearch
Versions before (<) 1.2
cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*
Matching versions

CVE-2014-3120 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Elasticsearch Remote Code Execution Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2014-3120

Added on 2022-03-25 Action due date 2022-04-15

Exploit prediction scoring system (EPSS) score for CVE-2014-3120

EPSS FAQ

83.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2014-3120

ElasticSearch Dynamic Script Arbitrary Java Execution

Disclosure Date: 2013-12-09

First seen: 2020-04-26

exploit/multi/elasticsearch/script_mvel_rce

This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts exe

More information

CVSS scores for CVE-2014-3120

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-10
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2014-3120

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2014-3120

http://www.exploit-db.com/exploits/33370

ElasticSearch - Remote Code Execution - Multiple webapps Exploit
Exploit
http://www.osvdb.org/106949

404 Not Found
Broken Link
https://www.elastic.co/blog/logstash-1-4-3-released

Logstash 1.4.3 released | Elastic Blog
Vendor Advisory

CVEs referencing this url
http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce

ElasticSearch Dynamic Script Arbitrary Java Execution
Exploit;Third Party Advisory
http://www.securityfocus.com/bid/67731

Elasticsearch CVE-2014-3120 Arbitrary Java Code Execution Vulnerability
Exploit
http://bouk.co/blog/elasticsearch-rce/

Exploit
https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch

Tips to secure Elasticsearch clusters for free with encryption, users, and more | Elastic Blog
Exploit
https://www.elastic.co/community/security/

Elastic Stack Security Disclosures · Report Issues | Elastic
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-3120