Logstash Uncontrolled Resource Consumption vulnerability (ESA-2024-35)
On August 19, 2024, Floraison announced CVE-2024-43380, which affects fugit "natural" parser. The parser turns natural language into a cron date and was found to accept any length of input, causing an uncontrolled resource consumption when parsing very long strings.
Affected Versions:
Logstash versions 7.17.0 to 8.15.0.
Solutions and Mitigations:
Users should upgrade to version 8.15.1 or higher.
Severity: CVSS v3.1: 5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE ID: CVE-2024-43380