x/vulndb: potential Go vuln in github.com/elastic/apm-server: GHSA-f6cj-4h3g-hwq4

[GoVulnBot]

Advisory GHSA-f6cj-4h3g-hwq4 references a vulnerability in the following Go modules:

Module
github.com/elastic/apm-server

Description:
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.

References:

• ADVISORY: GHSA-f6cj-4h3g-hwq4
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-37286
• WEB: https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289

Cross references:

• github.com/elastic/apm-server appears in 1 other report(s):
  • data/reports/GO-2024-2556.yaml (x/vulndb: potential Go vuln in github.com/elastic/apm-server: GHSA-8r33-q5j5-rh7g #2556)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/elastic/apm-server
      non_go_versions:
        - fixed: 8.14.0
      vulnerable_at: 6.8.23+incompatible
summary: APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server
cves:
    - CVE-2024-37286
ghsas:
    - GHSA-f6cj-4h3g-hwq4
references:
    - advisory: https://github.com/advisories/GHSA-f6cj-4h3g-hwq4
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37286
    - web: https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289
source:
    id: GHSA-f6cj-4h3g-hwq4
    created: 2024-08-05T15:01:22.7243744Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports