Description
In 189d576 an update to GHSA-8qhq-rq4j-8prj was published including both logstash and logstash-event gem.
GHSA-8qhq-rq4j-8prj claims that logstash-event gem has affected versions: >= 1.0.14, < 1.4.2, patched versions: 1.4.2
But the last version of logstash-event gem published was 1.2.02 in 2013 https://rubygems.org/gems/logstash-event/
The advisory details specify that the vulnerability is in the files zabbix.rb
and nagios_nsca.rb
.
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1)
zabbix.rb
or (2)nagios_nsca.rb
inoutputs/
.
However, logstash-event gem does not include those files. Per https://github.com/elastic/logstash/blob/29de30745138ddcb69a2b45b8ebf3e5a1c39b58a/logstash-event.gemspec logstash-event gem (version 1.2.02) includes only the following files:
- lib/logstash-event.rb
- lib/logstash/event.rb
- lib/logstash/namespace.rb
- lib/logstash/util/fieldreference.rb
- lib/logstash/util.rb
- spec/event.rb
- LICENSE
Was the inclusion of logstash-event gem in this advisory a mistake?