CVE-2024-52975: Fleet Server sensitive information exposure via logs

9.0 CVSS

Description

An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled.

Classification

CVE ID: CVE-2024-52975

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.0

Affected Products

Vendor: Elastic

Product: Fleet Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://discuss.elastic.co/t/fleet-server-8-15-0-security-update-esa-2024-31/373522

Timeline

2025-01-24 00:30:29 UTC
CVE

Fleet Server sensitive information exposure via logs