When a site plugin is activated, a directory traversal issue in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to access arbitrary files via undefined vectors.
In order to patch this vulnerability, we suggest you update Elasticsearch to the latest version