保護DataHogo
Security Encyclopedia/Database Connections
criticalCWE-284OWASP A05:2021

Elasticsearch Publicly Accessible

Your Elasticsearch instance is reachable from the internet without authentication, exposing all indexed data to anyone who knows the endpoint URL.

How It Works

Elasticsearch's REST API runs on port 9200 and returns data in response to simple HTTP GET requests with no authentication by default (in older versions). If the instance is bound to a public IP and port 9200 is open, an attacker can query curl http://your-elastic:9200/_search?size=10000 and dump your entire index. This has exposed millions of records in numerous breaches.

Vulnerable Code
// BAD: Elasticsearch client connecting to a public endpoint without auth
const client = new Client({
  node: 'http://search.example.com:9200'
  // No auth, HTTP (not HTTPS), public endpoint
});
Secure Code
// GOOD: use HTTPS and authenticate with API key or username/password
const client = new Client({
  node: process.env.ELASTICSEARCH_URL, // https://... with private VPC endpoint
  auth: {
    apiKey: process.env.ELASTICSEARCH_API_KEY
  }
});

Real-World Example

The Elasticsearch breach hall of fame is long: 1.2 billion Facebook records (2019), 2.7 billion email records (2020), 533 million scraped LinkedIn records — many via unauthenticated Elasticsearch instances. Security researcher Bob Diachenko has reported hundreds of open Elasticsearch instances containing sensitive data.

How to Prevent It

  • Enable X-Pack security in Elasticsearch to require authentication for all requests
  • Deploy Elasticsearch in a private VPC with no public IP — expose it only through your app servers
  • Always use HTTPS (port 9243 for Elastic Cloud) — never HTTP on port 9200 for any non-localhost setup
  • Create API keys with minimal index permissions per application, not a single admin key
  • Regularly scan your Elasticsearch cluster for publicly accessible indices with tools like Shodan

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021