CVE-2021-22138

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-22138

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22138.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-22138

Aliases

BIT-logstash-2021-22138

Published

2021-05-13T18:15:09.077Z

Modified

2026-04-02T06:47:17.026421Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.

References

Affected packages

Git / github.com/elastic/logstash

Affected ranges

Type

GIT

Repo

https://github.com/elastic/logstash

Events

Introduced

f8014ac54e6c8ff6c071c0960ca1b00e9735f43a

Fixed

3c0cd07dcd6979538e2b92b9997f2535aa13798e

Introduced

26101649981400490f8bab334c61a90a1d6325d2

Fixed

4399d72a9afe6f06db8adbaad8030e5b111e86b6

Database specific

{
    "versions": [
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.8.15"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.12.0"
        }
    ]
}

Affected versions

v6.*

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v7.*

v7.0.0

v7.0.1

v7.1.0

v7.1.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22138.json"