Security Advisory

CVE-2014-3120

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2014-07-28 19:00:00

Last updated 2025-10-22 00:05:37

Assigner mitre

State PUBLISHED

Description

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendors intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

← Browse all CVEs View on cve.org ↗