Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.
0470832a32f532d43f5d3a0ee65181e2c78d893dc3b4564f92c67f9143488da5
Elasticsearch Logstash versions 1.0.14 through 1.4.1 suffer from a remote command execution vulnerability.
af4c8c7dd3bc0722d099ec0c672298ee3ab08240c306a42f89bf7e33cf00c9e4