CVE-2024-11994 MEDIUM

CVE-2024-11994: APM Server Insertion of Sensitive Information into Log File

Vendor Elastic
Product APM Server
Weakness CWE-200 · Info exposure
Published May 1, 2025
Last update May 1, 2025

CVSS base score

5.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs.

Key dates

02Disclosure timeline

May 1, 2025 CVE published
May 1, 2025 Record updated