CVE-2024-37286 — Log File Information Exposure in Elastic Apm-server

CWE-532 — Log File Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

CNA5.7

EPSS

0.4%

top 37.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Elastic Apm-server Elastic APM Server

Timeline

PublishedAug 3

Latest updateAug 6

Description

APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDelastic/apm_server< 8.14.0

▶Gogithub.com/elastic_apm-server< 8.14.0

🔴Vulnerability Details

OSV

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server↗2024-08-06

▶

GHSA

APM Server vulnerable to Insertion of Sensitive Information into Log File↗2024-08-03

▶

OSV

APM Server vulnerable to Insertion of Sensitive Information into Log File↗2024-08-03

▶

CVEList

APM Server Insertion of Sensitive Information into Log File↗2024-08-03

▶