Elasticsearch service accessible

Description

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time. It is generally used as the underlying engine/technology that powers applications that have complex search features and requirements.

Acunetix WVS discovered that is possible to access the elasticsearch service. This service should not be accessible on a production website as it may give an attacker access to sensitive information about the affected system. Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.

Remediation

Disable external access to the elasticsearch service.

References
Severity
Classification
Tags
  • Configuration  Information Disclosure