An attacker could use the File output plugin with dynamic field
references in the path option to traverse paths outside of Logstash
directory. This technique could also be used to overwrite any files
which can be accessed with permissions associated with Logstash
user. This release sandboxes the paths which can be traversed using
the configuration. We have also disallowed use of dynamic field
references if the path options is pointing to an absolute path.
We have added this vulnerability to our CVE page and are working
on filling out the CVE. We would like to thank Colin Coghill for
reporting the issue and working with us on the resolution.