Name | elasticsearch_CVE_2015_1427 |
---|---|
CVE | CVE-2015-1427 Exploit Pack |
VENDOR: elastic | |
Notes: | |
Elasticsearch versions 1.3.x before 1.3.8 and 1.4.x before 1.4.3 have dynamic scripting | |
features enabled by default using Groovy as scripting language. | |
There is a Groovy sandbox bypass that can be used to obtain Groovy Remote Code Execution. |
Elasticsearch version 1.4.3 disabled dynamic scripting by default and improved the Groovy
sandbox by including certain methods to its blacklist check.
However Immunity uncovered that for versions 1.4.3 and greater there are still other bypasses to the Groovy sandbox if dynamic
scripts are manually enabled on the configuration file config/elasticsearch.yml by adding
the following lines:
script.inline: sandbox
script.groovy.sandbox.enabled: true
Repeatability: Infinite
References: http://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1427