CVE-2015-1427
Publication date 17 February 2015
Last updated 25 August 2025
Ubuntu priority
Description
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| elasticsearch | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- http://seclists.org/bugtraq/2015/Feb/92
- http://xforce.iss.net/xforce/xfdb/100850
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
- http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html
- https://www.cve.org/CVERecord?id=CVE-2015-1427
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog