Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time. It is generally used as the underlying engine/technology that powers applications that have complex search features and requirements.
Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.
Add the following line to your elasticsearch.yml to disable dynamic scripting and prevent remote code execution:
script.disable_dynamic: trueYou should also make sure that your local Elasticsearch instance is only binding on localhost.
- Oracle Reports rwservlet vulnerabilities
- Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
- WordPress Plugin Lightbox Jquery Possible Remote Code Execution (0.24)
- WordPress Plugin All-in-One WP Migration Remote Code Execution (2.0.2)
- WordPress Plugin CM Download Manager Code Injection (2.0.3)