Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNmNqLTRoM2ctaHdxNM4AA-Wv
APM Server vulnerable to Insertion of Sensitive Information into Log File
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.
Permalink: https://github.com/advisories/GHSA-f6cj-4h3g-hwq4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNmNqLTRoM2ctaHdxNM4AA-Wv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-f6cj-4h3g-hwq4, CVE-2024-37286
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-37286
- https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289
- https://pkg.go.dev/vuln/GO-2024-3037
- https://github.com/advisories/GHSA-f6cj-4h3g-hwq4
Affected Packages
go:github.com/elastic/apm-server
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 8.14.0
Fixed in: 8.14.0
All affected versions: 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.8.5, 6.8.6, 6.8.7, 6.8.8, 6.8.9, 6.8.10, 6.8.11, 6.8.12, 6.8.13, 6.8.14, 6.8.15, 6.8.16, 6.8.17, 6.8.18, 6.8.19, 6.8.20, 6.8.21, 6.8.22, 6.8.23, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.6.1, 7.6.2
All unaffected versions: