CVE-2015-1427

CVSS 9.8 CRITICALEPSS 99.9%● KEV

Vexday Risk Score

100Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 99.9%KEV simPoC públicaNuclei simMetasploit simPatch referenciado

Lifecycle

11 Feb 2015Metasploit module available

17 Feb 2015Published on NVD

11 Mar 2015Public PoC

25 Mar 2022Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Elasticsearch allowed attackers to run any command on the server by bypassing safety restrictions in its Groovy script feature. This is critical because it gives complete control of the affected system to anyone who can send a malicious script.

Technical detail

The Groovy scripting engine in vulnerable Elasticsearch versions (before 1.3.8 and 1.4.x before 1.4.3) failed to properly enforce sandbox restrictions, allowing remote code execution. An attacker could craft malicious Groovy scripts to escape the sandbox and execute arbitrary shell commands with the privileges of the Elasticsearch process, leading to full system compromise.

Summary generated and translated by AI from the official description.

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 9

githubgithub.com/t0kx/exploit-CVE-2015-1427★ 32 githubgithub.com/xpgdgit/CVE-2015-1427★ 0 githubgithub.com/Sebikea/CVE-2015-1427-for-trixie★ 0 githubgithub.com/cved-sources/cve-2015-1427★ 0 githubgithub.com/cyberharsh/Groovy-scripting-engine-CVE-2015-1427★ 0 exploitdbwww.exploit-db.com/exploits/36337unverified cve_referencepacketstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/36415unverified cve_referencepacketstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html https://access.redhat.com/errata/RHSA-2017:0868 https://exchange.xforce.ibmcloud.com/vulnerabilities/100850 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1427 https://www.elastic.co/community/security/http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/http://www.securityfocus.com/archive/1/534689/100/0/threaded http://www.securityfocus.com/bid/72585