Elasticsearch Logstash CVE-2019-7612 Information Disclosure Vulnerability

Elasticsearch Logstash is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain potentially sensitive information. This may lead to further attacks.

Versions prior to Elasticsearch Logstash 5.6.15 and 6.6.1 are vulnerable.

Information

Bugtraq ID: 107090
Class: Input Validation Error
CVE: CVE-2019-7612

Remote: Yes
Local: No
Published: Feb 19 2019 12:00AM
Updated: Feb 19 2019 12:00AM
Credit: The vendor reported this issue.
Vulnerable: Elasticsearch Logstash 6.6
Elasticsearch Logstash 6.5.4
Elasticsearch Logstash 6.5.3
Elasticsearch Logstash 6.5.2
Elasticsearch Logstash 6.5.1
Elasticsearch Logstash 6.5
Elasticsearch Logstash 6.4.3
Elasticsearch Logstash 5.6.14
Elasticsearch Logstash 5.6.13
Elasticsearch Logstash 5.6.11
Elasticsearch Logstash 5.6.10
Elasticsearch Logstash 5.6.9
Elasticsearch Logstash 5.0.1
Elasticsearch Logstash 5.0
Elasticsearch Logstash 2.3.4
Elasticsearch Logstash 2.3.3
Elasticsearch Logstash 2.3.2
Elasticsearch Logstash 2.3.1
Elasticsearch Logstash 2.3
Elasticsearch Logstash 2.2.4
Elasticsearch Logstash 2.2.3
Elasticsearch Logstash 2.2.2
Elasticsearch Logstash 2.2.1
Elasticsearch Logstash 2.2
Elasticsearch Logstash 2.1.3
Elasticsearch Logstash 2.1.2
Elasticsearch Logstash 2.1.1
Elasticsearch Logstash 2.1
Elasticsearch Logstash 1.5.4
Elasticsearch Logstash 1.5.3
Elasticsearch Logstash 1.5.2
Elasticsearch Logstash 1.4.5
Elasticsearch Logstash 1.4.4
Elasticsearch Logstash 1.1 1
Elasticsearch Logstash 1.5.0
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.4.2
Elasticsearch Logstash 1.4.1
Elasticsearch Logstash 1.4.0
Elasticsearch Logstash 1.3.3
Elasticsearch Logstash 1.3.2
Elasticsearch Logstash 1.3.1
Elasticsearch Logstash 1.3.0
Elasticsearch Logstash 1.2.2
Elasticsearch Logstash 1.2.1
Elasticsearch Logstash 1.1.9
Elasticsearch Logstash 1.1.8
Elasticsearch Logstash 1.1.7
Elasticsearch Logstash 1.1.6
Elasticsearch Logstash 1.1.5
Elasticsearch Logstash 1.1.4
Elasticsearch Logstash 1.1.3
Elasticsearch Logstash 1.1.2
Elasticsearch Logstash 1.1.13
Elasticsearch Logstash 1.1.12
Elasticsearch Logstash 1.1.11
Elasticsearch Logstash 1.1.10
Elasticsearch Logstash 1.1.1
Elasticsearch Logstash 1.1.0
Elasticsearch Logstash 1.0.17
Elasticsearch Logstash 1.0.16
Elasticsearch Logstash 1.0.15
Elasticsearch Logstash 1.0.14

Not Vulnerable: Elasticsearch Logstash 6.6.1
Elasticsearch Logstash 5.6.15

Exploit

An attacker can exploit this issue using a browser.

References:

• Elasticsearch Homepage (Elasticsearch)
  
• Elastic Stack 6.6.1 and 5.6.15 security update (Elastic Stack)
  
• Elasticsearch Security Issues (Elasticsearch)
  

Source: www.securityfocus.com