Vulnerabilities

CVE-2014-3120

by Fred · 28/07/2014

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor’s intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Date published : 2014-07-28

http://www.securityfocus.com/bid/67731

https://www.elastic.co/blog/logstash-1-4-3-released

Similar

Tags: Cybersecurity Alert