Vulnerability
Elasticsearch is a search server based on Lucene. The old versions of ElasticSearch support passing in dynamic scripts (MVEL) to perform some complex operations, and MVEL can execute Java code, and there is no sandbox, so a user can directly execute arbitrary code.
Mitigation / Precaution
- In order to patch this vulnerability, we suggest you to update ElasticSearch to the latest version.
- We recommend you to configure ‘script.disable_dynamic: true’ in elasticsearch.yml.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
