CVE-2014-3120

high

Description

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

References

https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points

https://www.tenable.com/blog/patched-elasticsearch-vulnerabilities-used-to-spread-cryptocurrency-miner-cve-2014-3120-cve

https://www.elastic.co/community/security/

https://www.elastic.co/blog/logstash-1-4-3-released

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-3120

Details

Source: Mitre, NVD

Published: 2014-07-28

Updated: 2025-10-22

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.85557