Medium Nessus Plugin ID 112039
SynopsisThe remote web server hosts a Java application that is affected by an
unauthorised information disclosure vulnerability.
DescriptionX-Pack Security versions prior to 5.4.1 and 5.3.3 did not always
correctly apply Document Level Security to index aliases. This bug
could allow a user with restricted permissions to view data they
should not have access to when performing certain operations against
an index alias.
SolutionAll users of X-Pack security should upgrade to version 5.3.3 or 5.4.1.
If you cannot upgrade disabling the request cache on an index will
mitigate this bug.