Elasticsearch@* Security Vulnerabilities and Issues — Elasticsearch@* CVE List

Lucene search

ElasticsearchElasticsearch*

4 matches found

CVE•added 2014/07/28 7:55 p.m.•1064 views

CVE-2014-3120

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsear...

8.1CVSS7.5AI score0.79814EPSS

CVE•added 2015/05/01 3:59 p.m.•133 views

CVE-2015-3337

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

4.3CVSS8.9AI score0.90729EPSS

CVE•added 2015/08/17 3:59 p.m.•110 views

CVE-2015-5531

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

5CVSS9AI score0.84215EPSS

CVE•added 2014/10/10 1:55 a.m.•78 views

CVE-2014-6439

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.6AI score0.00321EPSS