High severity8.1CISA KEVNVD Advisory· Published Jul 28, 2014· Updated Jun 17, 2026
CVE-2014-3120
CVE-2014-3120
Description
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | < 1.4.0.Beta1 | 1.4.0.Beta1 |
Affected products
2Patches
Vulnerability mechanics
References
18- bouk.co/blog/elasticsearch-rce/nvdExploit
- www.exploit-db.com/exploits/33370nvdExploitWEB
- www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rcenvdExploitThird Party AdvisoryWEB
- www.securityfocus.com/bid/67731nvdExploit
- www.found.no/foundation/elasticsearch-security/nvdExploitWEB
- github.com/advisories/GHSA-mrfm-jxgf-2h6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3120ghsaADVISORY
- www.elastic.co/blog/logstash-1-4-3-releasednvdVendor AdvisoryWEB
- www.elastic.co/community/security/nvdVendor Advisory
- bouk.co/blog/elasticsearch-rceghsaWEB
- www.osvdb.org/106949nvdBroken Link
- github.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06ghsaWEB
- github.com/elastic/elasticsearch/commit/f9de8b65898509e038e33215db0720b508477a12ghsaWEB
- github.com/elastic/elasticsearch/issues/7151ghsaWEB
- github.com/elastic/elasticsearch/pull/7642ghsaWEB
- web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.elastic.co/community/securityghsaWEB
News mentions
0No linked articles in our index yet.