Groovy scripting vulnerability

Hi all

Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have a vulnerability in
the Groovy scripting engine. The vulnerability allows an attacker to
construct Groovy scripts that escape the sandbox and execute shell commands
as the user running the Elasticsearch Java VM.

We have released Elasticsearch 1.3.8 and 1.4.3 to address this issue.
Please read the blogpost and either upgrade or update your config to
disable dynamic Groovy scripting:



You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
For more options, visit