Cyber Resilience

CVE-2014-3120

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 28 July 2014

Published
28 July 2014
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8528 99.4th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-3120 is a high-severity Improper Access Control (CWE-284) vulnerability in Elastic Elasticsearch. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

The vulnerability tracked as CVE-2014-3120 affects Elasticsearch versions before 1.2. In the default configuration, dynamic scripting is enabled, permitting remote attackers to supply arbitrary MVEL expressions and Java code through the source parameter of the _search endpoint. This behavior stems from improper access control (CWE-284) and carries a CVSS 3.1 score of 8.1.

An attacker with network access to an affected instance can submit crafted search requests that execute the supplied expressions, resulting in arbitrary code execution. Successful exploitation grants the ability to read or modify data and potentially impact system integrity, although the vendor notes the issue only violates intended policy when Elasticsearch is not isolated in its own virtual machine.

Public references document working exploits, including modules in the Metasploit framework and standalone proof-of-concept code on Exploit-DB, confirming that remote code execution is practical against unpatched or misconfigured deployments.

EU & UK References

Vulnerability details

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user…

more

does not run Elasticsearch in its own independent virtual machine.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

elastic
elasticsearch
≤ 1.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the _search endpoint to block unauthorized dynamic script execution.

prevent

Requires disabling non-essential dynamic scripting capability that is enabled by default and enables RCE.

prevent

Mandates secure baseline configuration settings to disable dynamic scripting in Elasticsearch versions before 1.2.

References