vulnerability
Elastic Elasticsearch: CVE-2015-5377: Improper Neutralization of Special Elements in Output Used by a Downstream Component
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Mar 6, 2018 | May 13, 2025 | Mar 25, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Mar 6, 2018
Added
May 13, 2025
Modified
Mar 25, 2026
Description
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
Solution
elastic-elasticsearch-upgrade-latest
References
- CWE-74
- CVE-2015-5377
- https://attackerkb.com/topics/CVE-2015-5377
- http://www.securityfocus.com/bid/75938
- http://www.zerodayinitiative.com/advisories/ZDI-15-365/
- https://discuss.elastic.co/t/elasticsearch-remote-code-execution-cve-2015-5377/25736
- https://github.com/elastic/elasticsearch/commit/bf3052d14c874aead7da8855c5fcadf5428a43f2
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2015-5333
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.