Medium Nessus Plugin ID 112039
SynopsisThe remote web server hosts a Java application that is affected by an unauthorised information disclosure vulnerability.
DescriptionX-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.
SolutionAll users of X-Pack security should upgrade to version 5.3.3 or 5.4.1.
If you cannot upgrade disabling the request cache on an index will mitigate this bug.