Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2015-1427

Published: Feb 17, 2015 | Modified: Jul 16, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
6.8 IMPORTANT
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V3
6.5 IMPORTANT
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2015-1427
CWEhttps://cwe.mitre.org/data/definitions/.html

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Affected Software

Name Vendor Start Version End Version
Elasticsearch Elastic * 1.3.8 (excluding)
Elasticsearch Elastic 1.4.0 (including) 1.4.3 (excluding)
Red Hat JBoss A-MQ 6.3 RedHat *
Red Hat JBoss Fuse 6.3 RedHat *
Elasticsearch Ubuntu artful *
Elasticsearch Ubuntu upstream *
Elasticsearch Ubuntu vivid *
Elasticsearch Ubuntu wily *
Elasticsearch Ubuntu yakkety *
Elasticsearch Ubuntu zesty *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use