

Insecure default in Elasticsearch enables remote code execution - bouk
http://bouk.co/blog/elasticsearch-rce/

======
Xylakant
Yet another reason to have your dev stuff run in a separate VM. The attacker
in theory could still do the same trick, but he'd first have to guess the IP
of the VM (probably simple, since a lot of people forward local ports) but all
damage would be limited to the VM (yes, I have the users vagrant and root on
that VM). Still not perfect, but much better.

