Skip to content

Commit 5f69d26

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@d3a4008
1 parent 49f1422 commit 5f69d26

1 file changed

Lines changed: 40 additions & 0 deletions

File tree

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-37730 (logstash-output-tcp): Improper certificate validation in Logstash''s
4+
TCP output...'
5+
comments: false
6+
categories:
7+
- logstash-output-tcp
8+
advisory:
9+
gem: logstash-output-tcp
10+
cve: 2025-37730
11+
ghsa: qrf7-ph5v-mj2v
12+
url: https://nvd.nist.gov/vuln/detail/CVE-2025-37730
13+
title: Improper certificate validation in Logstash's TCP output...
14+
date: 2025-05-06
15+
description: |-
16+
Improper certificate validation in Logstash's TCP output could lead
17+
to a man-in-the-middle (MitM) attack in “client” mode, as hostname
18+
verification in TCP output was not being performed when the
19+
ssl_verification_mode => full was set.
20+
cvss_v3: 6.5
21+
patched_versions:
22+
- "~> 6.2.2"
23+
- ">= 7.0.1"
24+
related:
25+
url:
26+
- https://nvd.nist.gov/vuln/detail/CVE-2025-37730
27+
- https://rubygems.org/gems/logstash-output-tcp/versions/7.0.1
28+
- https://rubygems.org/gems/logstash-output-tcp/versions/6.2.2
29+
- https://github.com/logstash-plugins/logstash-output-tcp/blob/main/CHANGELOG.md#701
30+
- https://github.com/logstash-plugins/logstash-output-tcp/pull/61
31+
- https://github.com/logstash-plugins/logstash-output-tcp/commit/e32bd16a1d96cd0bc821fa4b93149934050f4040
32+
- https://discuss.elastic.co/t/logstash-8-17-6-8-18-1-and-9-0-1-security-update-esa-2025-08/377869
33+
- https://github.com/advisories/GHSA-qrf7-ph5v-mj2v
34+
notes: |
35+
- GHSA is unreviewed.
36+
- Used cvss_v3 and date from nvs.nist.gov URL.
37+
- Above discuss URL says "Alternatively, users may also
38+
upgrade the TCP output plugin to 6.2.2 or 7.0.1 by running
39+
bin/logstash-plugin update logstash-output-tcp."
40+
---

0 commit comments

Comments
 (0)