CVE-2015-1427
Published: 17 February 2015
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
elasticsearch Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.4.3)
|
|
| utopic |
Does not exist
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Not vulnerable
(1.7.3+dfsg-3)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
References
- http://seclists.org/bugtraq/2015/Feb/92
- http://xforce.iss.net/xforce/xfdb/100850
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
- http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html
- https://www.cve.org/CVERecord?id=CVE-2015-1427
- NVD
- Launchpad
- Debian