Critical severity9.8CISA KEVNVD Advisory· Published Feb 17, 2015· Updated Apr 22, 2026
CVE-2015-1427
CVE-2015-1427
Description
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | < 1.3.8 | 1.3.8 |
org.elasticsearch:elasticsearchMaven | >= 1.4.0, < 1.4.3 | 1.4.3 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/nvdPatchVendor Advisory
- packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.htmlnvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/archive/1/534689/100/0/threadednvdBroken LinkThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/72585nvdBroken LinkThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:0868nvdThird Party AdvisoryWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/100850nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-w94p-6mhw-4qxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-1427ghsaADVISORY
- www.elastic.co/community/security/nvdNot ApplicableVendor Advisory
- www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-releasedghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
- www.elastic.co/community/securityghsaWEB
News mentions
0No linked articles in our index yet.