Maven package
org.elasticsearch/elasticsearch
pkg:maven/org.elasticsearch/elasticsearch
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-3337 | — | < 1.4.5 | 1.4.5 | May 1, 2015 | Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. | ||
| CVE-2015-1427 | Cri | 9.8 | KEV | < 1.3.8 | 1.3.8 | Feb 17, 2015 | The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. |
| CVE-2014-6439 | — | < 1.4.0.Beta1 | 1.4.0.Beta1 | Oct 10, 2014 | Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2014-3120 | Hig | 8.1 | KEV | < 1.4.0.Beta1 | 1.4.0.Beta1 | Jul 28, 2014 | The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does |
- CVE-2015-3337May 1, 2015affected < 1.4.5fixed 1.4.5
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
- affected < 1.3.8fixed 1.3.8
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
- CVE-2014-6439Oct 10, 2014affected < 1.4.0.Beta1fixed 1.4.0.Beta1
Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- affected < 1.4.0.Beta1fixed 1.4.0.Beta1
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does
Page 3 of 3