Exposure of Sensitive Information to an Unauthorized Actor in sscarduzio/elasticsearch-readonlyrest-plugin
Jan 12th 2022
elasticsearch-readonlyrest-plugin is using TLS. There are many serious vulnerabilities in early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of weaknesses and early TLS to compromise organizations.
Among other weaknesses, TLS 1.0 is vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser.
According to NIST, there are no fixes or patches that can adequately repair early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible and disable any fallback to early TLS.
Recommending to use TLS 1.3 or 1.2