VIR Vulnerability Intelligence Relay

CVE-2015-5619

medium
Published 2015-08-20 · Modified 2026-05-13
CVSS v3
5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2
4.3
VIR risk
5.9

Description

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.

Predictions

Exploit likelihood
69%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemslogstash-core<~> 1.4.5~> 1.4.5

Application impact
VendorProductVersionsFixed
elasticlogstash1.4.0
elasticlogstash1.4.1
elasticlogstash1.4.2
elasticsearchlogstash1.4.3
elasticsearchlogstash1.4.4
elasticsearchlogstash1.5.0
elasticsearchlogstash1.5.1
elasticsearchlogstash1.5.2
elasticsearchlogstash1.5.3

References

CWEs

CWE-295

Verify integrity in audit chain (admin only). AS-IS.