GCVE - cpe:2.3:a:elastic:apm_server:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:elastic:apm_server:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Elastic (`1d0b8d2a-fd47-5b20-b005-34326f9bd037`)
Product	Apm Server (`0349b51c-b2fa-5c4a-81d3-303878a38311`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/elastic/apm-server`	purl2cpe	2026-06-01 10:15:14.297623
`pkg:golang/github.com/elastic/apm-server`	purl2cpe	2026-06-01 10:15:14.297625

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-0712`	vulnerable	2026-06-03 14:58:32.699389	APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation (LPE) when using the Windows Installer HIGH (7) An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. Published: 2025-07-30T00:12:43.639Z Updated: 2025-07-30T14:06:16.977Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/beats-windows-installer-9-1-0-security-update-esa-2025-12/380558	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-37286`	vulnerable	2026-06-03 14:56:06.246461	APM Server Insertion of Sensitive Information into Log File MEDIUM (5.7) APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. Published: 2024-08-03T15:16:22.700Z Updated: 2024-09-03T15:36:33.784Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-37286`	not_vulnerable	2026-06-03 14:56:06.246407	APM Server Insertion of Sensitive Information into Log File MEDIUM (5.7) APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. Published: 2024-08-03T15:16:22.700Z Updated: 2024-09-03T15:36:33.784Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-23448`	vulnerable	2026-06-03 14:55:03.907890	APM Server Insertion of Sensitive Information into Log File MEDIUM (5.7) An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this could lead to the insertion of sensitive or private information in the APM Server logs. Published: 2024-02-07T21:37:45.908Z Updated: 2024-08-01T23:06:24.582Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/apm-server-8-12-1-security-update-esa-2024-03/352688 https://www.elastic.co/community/security	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-11994`	vulnerable	2026-06-03 14:54:15.310229	APM Server Insertion of Sensitive Information into Log File MEDIUM (5.7) APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs. Published: 2025-05-01T13:06:54.194Z Updated: 2025-05-01T15:32:54.220Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/apm-server-8-16-1-security-update-esa-2024-41/377710	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-31421`	vulnerable	2026-06-03 14:51:55.726356	Beats, Elastic Agent, APM Server, and Fleet Server Improper Certificate Validation issue MEDIUM (5.9) It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected. Published: 2023-10-26T03:10:52.684Z Updated: 2024-08-02T14:53:30.714Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/beats-elastic-agent-apm-server-and-fleet-server-8-10-1-security-update-improper-certificate-validation-issue-esa-2023-16/343385 https://www.elastic.co/community/security	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-31416`	not_vulnerable	2026-06-03 14:51:55.716416	Elastic Cloud on Kubernetes (ECK) secret token configuration issue MEDIUM (5.3) Secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0. This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment. Published: 2023-10-26T18:46:21.531Z Updated: 2024-09-09T16:16:37.729Z Open on db.gcve.eu Reference links https://discuss.elastic.co/t/elastic-cloud-on-kubernetes-eck-2-8-security-update/343854 https://www.elastic.co/community/security	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.