Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. We have been assigned CVE-2015-5531 for this issue. Fixed versions: Versions 1.6.1 and 1.7.0 address the vulnerability. Remediation: Users should upgrade to the 1.6.1 or 1.7.0 releases. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent snapshot API calls from untrusted sources. CVSS Overall CVSS score: 2.6 Credits: Benjamin Smith reported the issue.
