HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2014-3120

CVSS 8.1v3.1pub. 2014-07-28upd. 2026-04-22

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Elastic Elasticsearch

    APP
    Elastic
    < 1.2.0

CISA KEV — detailsi

Vendori
Elastic
Producti
Elasticsearch
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 kwietnia 2022
CWE
References

Related vulnerabilities

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2015-5377CRITICAL9.8ten sam produkt

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...

CVE-2023-31418HIGH7.5ten sam produkt

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...

CVE-2022-23712HIGH7.5ten sam produkt

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacke...

CVE-2021-22146HIGH7.5ten sam produkt

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed...