CVE-2015-1427

Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

El motor de secuencias de comandos Groovy en Elasticsearch anterior a 1.3.8 y 1.4.x anterior a 1.4.3 permite a atacantes remotos evadir el mecanismo de protección de sandbox y ejecutar comandos de shell arbitrarios a través de una secuencia de comandos manipulada.

It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Multiple security issues have been addressed.

The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2015-01-31 CVE Reserved
2015-02-11 CVE Published
2015-03-11 First Exploit
2022-03-25 Exploited in Wild
2022-04-15 KEV Due Date
2025-02-10 CVE Updated
2025-04-08 EPSS Updated

CWE

CWE-284: Improper Access Control

CAPEC

References (22)

URL	Tag	Source
http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html	X_refsource_misc
http://www.securityfocus.com/archive/1/534689/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/72585	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/100850	Vdb Entry
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427
https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch
http://drops.wooyun.org/papers/5107

URL	Date	SRC
https://packetstorm.news/files/id/130784	2015-03-12
https://packetstorm.news/files/id/130799	2015-03-12
https://www.exploit-db.com/exploits/36415	2015-03-16
https://www.exploit-db.com/exploits/36337	2015-03-11
https://github.com/t0kx/exploit-CVE-2015-1427	2017-01-09
https://github.com/xpgdgit/CVE-2015-1427	2022-08-01
https://github.com/cyberharsh/Groovy-scripting-engine-CVE-2015-1427	2020-06-24
https://github.com/cved-sources/cve-2015-1427	2021-04-15
https://github.com/Sebikea/CVE-2015-1427-for-trixie	2024-11-10
http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html	2025-02-10

URL	Date	SRC
http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released	2018-10-09

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:0868	2018-10-09
https://www.elastic.co/community/security	2018-10-09
https://access.redhat.com/security/cve/CVE-2015-1427	2017-04-03
https://bugzilla.redhat.com/show_bug.cgi?id=1191969	2017-04-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Elasticsearch Search vendor "Elasticsearch"		Elasticsearch Search vendor "Elasticsearch" for product "Elasticsearch"				<= 1.3.7 Search vendor "Elasticsearch" for product "Elasticsearch" and version " <= 1.3.7"		-		Affected
Elasticsearch Search vendor "Elasticsearch"		Elasticsearch Search vendor "Elasticsearch" for product "Elasticsearch"				1.4.0 Search vendor "Elasticsearch" for product "Elasticsearch" and version "1.4.0"		-		Affected
Elasticsearch Search vendor "Elasticsearch"		Elasticsearch Search vendor "Elasticsearch" for product "Elasticsearch"				1.4.0 Search vendor "Elasticsearch" for product "Elasticsearch" and version "1.4.0"		beta1		Affected
Elasticsearch Search vendor "Elasticsearch"		Elasticsearch Search vendor "Elasticsearch" for product "Elasticsearch"				1.4.1 Search vendor "Elasticsearch" for product "Elasticsearch" and version "1.4.1"		-		Affected
Elasticsearch Search vendor "Elasticsearch"		Elasticsearch Search vendor "Elasticsearch" for product "Elasticsearch"				1.4.2 Search vendor "Elasticsearch" for product "Elasticsearch" and version "1.4.2"		-		Affected