Low Nessus Plugin ID 112046
SynopsisThe remote web server hosts a Java application that is affected by an unauthorised information disclosure vulnerability.
DescriptionA sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
SolutionAll users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the repository-azure plugin to expose Azure credentials in Elasticsearch logs.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.