EIQ-2019-0015



ID

EIQ-2019-0015

CVE

CVE-2019-7612

Description

Logstash could log credentials of malformed URLs

Date

12 Mar 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs.
If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

A local attacker could obtain URL credentials by viewing the error log.

Mitigation

Upgrade to Logstash 5.6.15 or 6.6.1.

Affected versions

2.3.3 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.3.4