[GHSA-hj4r-2c9c-29h3] Elastic Beats inserts sensitive information into log file

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.67k stars 304 forks source link

[GHSA-hj4r-2c9c-29h3] Elastic Beats inserts sensitive information into log file #4552

Closed levinebw closed 1 week ago

levinebw commented 1 week ago

Updates

Affected products

Comments The affected product (package) is github.com/elastic/beats

shelbyc commented 1 week ago

Hi @levinebw, we have the affected product set to github.com/elastic/beats/v7 because, according to https://discuss.elastic.co/t/beats-and-elastic-agent-8-11-3-7-17-16-security-update-esa-2023-30/349180, github.com/elastic/beats doesn't become vulnerable until version 7.0.0, which is the first version covered by github.com/elastic/beats/v7. Changing the affected product to github.com/elastic/beats but keeping the < 7.17.16 vulnerable version range would mean that users of non-vulnerable versions would inappropriately receive Dependabot alerts and users of vulnerable versions would fail to receive Dependabot alerts.

I hope I adequately explained why the affected product for the 7.x branch is set to github.com/elastic/beats/v7 and why we won't change the affected product for the 7.x branch to github.com/elastic/beats. Please feel free to follow up if you have any questions, and have a great week!

levinebw commented 1 week ago

Ok thanks @shelbyc, it appears that some scanners (Prisma, Trivy) are identifying non-vulnerable versions as vulnerable. I've submitted a seperate commit to correct the introduced version which may be the reason,

  "ranges": [
    {
      "type": "ECOSYSTEM",
      "events": [
        {
        -  "introduced": "0"
        + "introduced": "7.0.0"

levinebw commented 1 week ago

Hi @shelbyc please see the separate request to update the Affected versions for v7. Thanks!

advisory-database[bot] commented 1 week ago

Hi @levinebw! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

shelbyc commented 1 week ago

@levinebw Thanks for following up and for your care and concern for accuracy! This ended up being a very interesting community contribution. I did a little more digging as part of this contribution and, as it turns out, you were correct to include github.com/elastic/beats in addition to github.com/elastic/beats/v7. I misread https://pkg.go.dev/github.com/elastic/beats/v7?tab=versions, which shows 7.7.0 as the first version on the v7 branch, not 7.0.0. https://pkg.go.dev/github.com/elastic/beats?tab=versions has a version called [v7.0.0+incompatible](https://pkg.go.dev/github.com/elastic/beats@v7.0.0+incompatible). For the sake of completeness, I've included the vulnerable version range >= 7.0.0, < 7.17.16 for both github.com/elastic/beats/v7 and github.com/elastic/beats.