QwikSec

Security Database

CVE

CWE

Training

CVE-2014-3120

Published: Jul 28, 2014

Modified: Oct 22, 2025

PUBLISHED

Description

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.elastic.co/blog/logstash-1-4-3-released

x_refsource_CONFIRM

exploit

x_refsource_EXPLOIT-DB

vdb-entry

x_refsource_BID

vdb-entry

x_refsource_OSVDB

http://bouk.co/blog/elasticsearch-rce/

x_refsource_MISC

http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce

x_refsource_MISC

https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch

x_refsource_MISC

https://www.elastic.co/community/security/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.