CVE-2014-3120: Elasticsearch Improper Access Control vulnerability
(updated )
The default configuration in Elasticsearch before 1.4.0.Beta1 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor’s intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
References
- github.com/advisories/GHSA-mrfm-jxgf-2h6v
- github.com/elastic/elasticsearch
- github.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06
- github.com/elastic/elasticsearch/commit/f9de8b65898509e038e33215db0720b508477a12
- github.com/elastic/elasticsearch/issues/7151
- github.com/elastic/elasticsearch/pull/7642
- nvd.nist.gov/vuln/detail/CVE-2014-3120
- web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731
- www.elastic.co/blog/logstash-1-4-3-released
- www.elastic.co/community/security
- www.found.no/foundation/elasticsearch-security/
Detect and mitigate CVE-2014-3120 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →