Elasticsearch is a Lucene-based search service and the second-most popular enterprise search engine.
Elasticsearch does not impose strict code filtering policy, which can be exploited by malicious users to access arbitrary file in a specific directory. For example, an attack can use the
http://localhost:9200/_plugin/head/../../../../../../../../../etc/passwd URL to access any file by using certain tool. Note that directly accessing this address does not work.
Upgrade Elasticsearch to the 1.5.2 version or later from the official website.