PT-2023-23309 · Elastic · Apm Server+1
Ismisepaul
·
Published
2023-10-26
·
Updated
2024-07-25
·
CVE-2023-31416
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ECK versions prior to 2.8
APM Server versions 8.0 and later
Description
The secret token configuration is not applied when using ECK with a version less than 2.8 alongside an APM Server version 8.0 or greater. This could lead to anonymous requests being accepted by the APM Server and the data being ingested into the APM deployment.
Recommendations
For ECK versions prior to 2.8, update to version 2.8 or later to ensure the secret token configuration is applied correctly.
For APM Server versions 8.0 and later, consider restricting access to the APM Server until the ECK version is updated to 2.8 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apm Server
Eck