Information disclosure in Elastic Logstash

CVE-2019-7612

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently…

EPSS: 0.005 (64.2th percentile) — read the EPSS interpretation.

Affected products

Elastic Logstash — versions before 5.6.15 and 6.6.1

Weakness classification (CWE)

CWE-209 — Generation of Error Message Containing Sensitive Information

References

discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 (x_refsource_MISC)
www.elastic.co/community/security (x_refsource_MISC)
security.netapp.com/advisory/ntap-20190411-0002/ (x_refsource_CONFIRM)