CVE-2015-1427
Published: 17 February 2015
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
Priority
Status
Package | Release | Status |
---|---|---|
elasticsearch Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Does not exist
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.4.3)
|
|
utopic |
Does not exist
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(1.7.3+dfsg-3)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
References
- http://seclists.org/bugtraq/2015/Feb/92
- http://xforce.iss.net/xforce/xfdb/100850
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
- http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html
- https://www.cve.org/CVERecord?id=CVE-2015-1427
- NVD
- Launchpad
- Debian