Summary
Elasticsearch is prone to a remote-code-execution vulnerability.
Impact
An attacker can exploit this issue to execute arbitrary code
Solution
Ask the vendor for an update or disable 'dynamic scripting'
Insight
Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed.
Affected
Elasticsearch < 1.2
Detection
Send a special crafted HTTP GET request and check the response
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-3120 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
- AN Guestbook Local File Inclusion Vulnerability
- 2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
- Apache mod_proxy_ftp Wildcard Characters XSS Vulnerability
- Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability