7.5
CVSS V3
Status
Fixed version
8.15.0-r2Status
Impact
GHSA-r55c-59qm-vjw6 is still vulnerable in the currently vendored/bundled rexml 3.3.2 and is still pending upstream fix in logstash by bumping the bundled version of jruby (and thus rexml). jruby has landed changes upstream @ https://github.com/jruby/jruby/commit/201a87abd48d0630acc1b5a21787d079d3050180 but no new tag has been created yet.
Status
Impact
Logstash bundles an old version of jruby v3.2.5 which installs a vulnerable version of rexml. Upstream jruby should fix this vulnerability for this version as it updates its default gems on some next release.
Status