Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Elastic Agent Insertion of Sensitive Information into Log File
Vulnerability Description
An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
通过日志文件的信息暴露
Vulnerability Title
Elastic 安全漏洞
Vulnerability Description
Elastic是荷兰Elastic公司的一套基于Lucene构建的开源分布式RESTful搜索引擎。该产品主要应用于云计算,并支持通过HTTP使用JSON进行数据索引。 Elastic Agent和 Beats 7.0.0 到 7.17.16、8.0.0 到8.11.3版本存在安全漏洞,该漏洞源于将原始事件提取到 Elasticsearch 失败并显示除 409 或 429 之外的任何 4xx HTTP 状态码时,Beats 和 Elastic Agent 会在自己的日志中以 WARN 或 ERROR 级
CVSS Information
N/A
Vulnerability Type
N/A