High severity8.1CISA KEVNVD Advisory· Published Jul 28, 2014· Updated Apr 22, 2026
CVE-2014-3120
CVE-2014-3120
Description
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | < 1.4.0.Beta1 | 1.4.0.Beta1 |
Affected products
1Patches
2bd0eb32d9c3cCORS: Disable by default
4 files changed · +7 −6
docs/reference/modules/http.asciidoc+1 −1 modified@@ -39,7 +39,7 @@ Defaults to `6`. |`http.cors.enabled` |Enable or disable cross-origin resource sharing, i.e. whether a browser on another origin can do requests to -Elasticsearch. Defaults to `true`. +Elasticsearch. Defaults to `false`. |`http.cors.allow-origin` |Which origins to allow. Defaults to `*`, i.e. any origin. If you prepend and append a `/` to the value, this will
src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java+1 −1 modified@@ -96,7 +96,7 @@ public void sendResponse(RestResponse response) { resp = new DefaultHttpResponse(HttpVersion.HTTP_1_1, status); } if (RestUtils.isBrowser(nettyRequest.headers().get(USER_AGENT))) { - if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, true)) { + if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, false)) { String originHeader = request.header(ORIGIN); if (!Strings.isNullOrEmpty(originHeader)) { if (corsPattern == null) {
src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java+2 −3 modified@@ -31,13 +31,12 @@ public class CorsRegexDefaultTests extends ElasticsearchIntegrationTest { @Test - public void testCorsSettingDefaultBehaviour() throws Exception { + public void testCorsSettingDefaultBehaviourDoesNotReturnAnything() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient().method("GET").path("/").addHeader("User-Agent", "Mozilla Bar").addHeader("Origin", corsValue).execute(); assertThat(response.getStatusCode(), is(200)); - assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Origin")); - assertThat(response.getHeaders().get("Access-Control-Allow-Origin"), is("*")); + assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials"))); }
src/test/java/org/elasticsearch/rest/CorsRegexTests.java+3 −1 modified@@ -34,6 +34,7 @@ import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_ORIGIN; import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_CREDENTIALS; +import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ENABLED; import static org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope; import static org.elasticsearch.test.ElasticsearchIntegrationTest.Scope; import static org.hamcrest.Matchers.*; @@ -52,7 +53,8 @@ protected Settings nodeSettings(int nodeOrdinal) { return ImmutableSettings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) .put(SETTING_CORS_ALLOW_ORIGIN, "/https?:\\/\\/localhost(:[0-9]+)?/") - .put(SETTING_CORS_ALLOW_CREDENTIALS, "true") + .put(SETTING_CORS_ALLOW_CREDENTIALS, true) + .put(SETTING_CORS_ENABLED, true) .build(); }
f9de8b658985CORS: Disable by default
4 files changed · +7 −6
docs/reference/modules/http.asciidoc+1 −1 modified@@ -39,7 +39,7 @@ Defaults to `6`. |`http.cors.enabled` |Enable or disable cross-origin resource sharing, i.e. whether a browser on another origin can do requests to -Elasticsearch. Defaults to `true`. +Elasticsearch. Defaults to `false`. |`http.cors.allow-origin` |Which origins to allow. Defaults to `*`, i.e. any origin. If you prepend and append a `/` to the value, this will
src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java+1 −1 modified@@ -96,7 +96,7 @@ public void sendResponse(RestResponse response) { resp = new DefaultHttpResponse(HttpVersion.HTTP_1_1, status); } if (RestUtils.isBrowser(nettyRequest.headers().get(USER_AGENT))) { - if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, true)) { + if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, false)) { String originHeader = request.header(ORIGIN); if (!Strings.isNullOrEmpty(originHeader)) { if (corsPattern == null) {
src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java+2 −3 modified@@ -31,13 +31,12 @@ public class CorsRegexDefaultTests extends ElasticsearchIntegrationTest { @Test - public void testCorsSettingDefaultBehaviour() throws Exception { + public void testCorsSettingDefaultBehaviourDoesNotReturnAnything() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient().method("GET").path("/").addHeader("User-Agent", "Mozilla Bar").addHeader("Origin", corsValue).execute(); assertThat(response.getStatusCode(), is(200)); - assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Origin")); - assertThat(response.getHeaders().get("Access-Control-Allow-Origin"), is("*")); + assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials"))); }
src/test/java/org/elasticsearch/rest/CorsRegexTests.java+3 −1 modified@@ -34,6 +34,7 @@ import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_ORIGIN; import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_CREDENTIALS; +import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ENABLED; import static org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope; import static org.elasticsearch.test.ElasticsearchIntegrationTest.Scope; import static org.hamcrest.Matchers.*; @@ -52,7 +53,8 @@ protected Settings nodeSettings(int nodeOrdinal) { return ImmutableSettings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) .put(SETTING_CORS_ALLOW_ORIGIN, "/https?:\\/\\/localhost(:[0-9]+)?/") - .put(SETTING_CORS_ALLOW_CREDENTIALS, "true") + .put(SETTING_CORS_ALLOW_CREDENTIALS, true) + .put(SETTING_CORS_ENABLED, true) .build(); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- bouk.co/blog/elasticsearch-rce/nvdExploit
- www.exploit-db.com/exploits/33370nvdExploitWEB
- www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rcenvdExploitThird Party AdvisoryWEB
- www.securityfocus.com/bid/67731nvdExploit
- www.found.no/foundation/elasticsearch-security/nvdExploitWEB
- github.com/advisories/GHSA-mrfm-jxgf-2h6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3120ghsaADVISORY
- www.elastic.co/blog/logstash-1-4-3-releasednvdVendor AdvisoryWEB
- www.elastic.co/community/security/nvdVendor Advisory
- bouk.co/blog/elasticsearch-rceghsaWEB
- www.osvdb.org/106949nvdBroken Link
- github.com/elastic/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06ghsaWEB
- github.com/elastic/elasticsearch/commit/f9de8b65898509e038e33215db0720b508477a12ghsaWEB
- github.com/elastic/elasticsearch/issues/7151ghsaWEB
- github.com/elastic/elasticsearch/pull/7642ghsaWEB
- web.archive.org/web/20140813071419/http://www.securityfocus.com/bid/67731ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.elastic.co/community/securityghsaWEB
News mentions
0No linked articles in our index yet.