[manjaro-security] [ASA-201902-28] logstash: information disclosure
Morten Linderud
foxboron at archlinux.org
Tue Feb 26 18:10:15 CET 2019
Arch Linux Security Advisory ASA-201902-28
==========================================
Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7612
Package : logstash
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-913
Summary
=======
The package logstash before version 6.6.1-1 is vulnerable to
information disclosure.
Resolution
==========
Upgrade to 6.6.1-1.
# pacman -Syu "logstash>=6.6.1-1"
The problem has been fixed upstream in version 6.6.1.
Workaround
==========
None.
Description
===========
A sensitive data disclosure flaw was found in the way Logstash logs
malformed URLs. If a malformed URL is specified as part of the Logstash
configuration, the credentials for the URL could be inadvertently
logged as part of the error message.
Impact
======
A local attacker is able to obtain URL credentials by reading the error
log.
References
==========
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7612
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20190226/214b9df2/attachment.sig>
More information about the manjaro-security
mailing list