Logstash 8.x < 8.19.14 / 9.x < 9.2.8 / 9.3.x < 9.3.3 Path Traversal (ESA-2026-29)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(305951);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/23");

  script_cve_id("CVE-2026-33466");
  script_xref(name:"IAVB", value:"2026-B-0091");

  script_name(english:"Logstash 8.x < 8.19.14 / 9.x < 9.2.8 / 9.3.x < 9.3.3 Path Traversal (ESA-2026-29)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a path traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Logstash installed on the remote host is 8.x prior to 8.19.14, 9.x prior to 9.2.8, or 9.3.x prior to
9.3.3. It is, therefore, affected by a path traversal vulnerability:

  - The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives.
    An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled
    update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In
    certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code
    execution. (CVE-2026-33466)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?459f77d0");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Logstash version 8.19.14, 9.2.8, 9.3.3, or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33466");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/10");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:elasticsearch:logstash");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("logstash_api_detect.nbin", "logstash_linux_installed.nbin", "macos_logstash_installed.nbin");
  script_require_keys("installed_sw/Logstash");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'Logstash', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'min_version': '8.0.0', 'fixed_version': '8.19.14'},
        {'min_version': '9.0.0', 'fixed_version': '9.2.8'},
        {'min_version': '9.3.0', 'fixed_version': '9.3.3'}
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:result);