Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cjMzLXE1ajUtcmg3Z84AA5Jo
APM Server vulnerable to Insertion of Sensitive Information into Log File
An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this could lead to the insertion of sensitive or private information in the APM Server logs.
Permalink: https://github.com/advisories/GHSA-8r33-q5j5-rh7gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cjMzLXE1ajUtcmg3Z84AA5Jo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 14 days ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8r33-q5j5-rh7g, CVE-2024-23448
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-23448
- https://discuss.elastic.co/t/apm-server-8-12-1-security-update-esa-2024-03/352688
- https://www.elastic.co/community/security
- https://github.com/advisories/GHSA-8r33-q5j5-rh7g
Affected Packages
go:github.com/elastic/apm-server
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 8.12.1
Fixed in: 8.12.1
All affected versions: 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.8.5, 6.8.6, 6.8.7, 6.8.8, 6.8.9, 6.8.10, 6.8.11, 6.8.12, 6.8.13, 6.8.14, 6.8.15, 6.8.16, 6.8.17, 6.8.18, 6.8.19, 6.8.20, 6.8.21, 6.8.22, 6.8.23, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.6.1, 7.6.2
All unaffected versions: