The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HElastic Elasticsearch
APPElastic< 1.3.81.4.0 β 1.4.3 (bez)Red Hat Fuse
APPRedhat1.0.0
CISA KEV β detailsi
- Vendori
- Elastic
- Producti
- Elasticsearch
- Added to KEVi
- March 25, 2022
- Remediation deadline (US Federal)i
- April 15, 2022(overdue)
Apply updates per vendor instructions.
The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands.
Related vulnerabilities
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows rem...
Brak walidacji nagΕΓ³wka Host w serwerze Undertow HTTP
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions,...
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized ...