CVE-2023-46672
8.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances.
The prerequisites for the manifestation of this issue are:
Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format.
Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Elastic | Logstash | 8.10.0 < 8.11.1 | affected |
Weaknesses
- CWE-532: CWE-532 Insertion of Sensitive Information into Log File
ADP Enrichment
CVE Program Container
Additional References
- https://discuss.elastic.co/t/logstash-8-11-1-security-update-esa-2023-26/347191
- https://www.elastic.co/community/security
- https://security.netapp.com/advisory/ntap-20240125-0002/
- https://security.netapp.com/advisory/ntap-20240229-0001/
References
- https://discuss.elastic.co/t/logstash-8-11-1-security-update-esa-2023-26/347191
- https://www.elastic.co/community/security
- https://security.netapp.com/advisory/ntap-20240125-0002/
- https://security.netapp.com/advisory/ntap-20240229-0001/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.