The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Published: 2014-07-28
CVSS: 8.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Download Exploit for CVE-2014-3120 here:
Tip: Download official Tor Browser at https://www.torproject.org/download/ to access .onion links.
https://augustaverburg.nl/exploit-795-cve-2024-38106/
https://augustaverburg.nl/exploit-689-cve-2023-48022/
https://augustaverburg.nl/exploit-857-cve-2025-39946/
https://augustaverburg.nl/exploit-467-cve-2020-11651/