Insertion of Sensitive Information into Log File vulnerabilities affecting DELMIA Apriso Release 2019 through Release 2024

Vulnerability

An insertion of sensitive information into log file vulnerability exists in DELMIA Apriso, affecting all versions from Release 2019 through Release 2024 [1]. The flaw allows sensitive data (such as credentials, internal paths, or confidential configuration details) to be inadvertently recorded in application logs when certain normal operations occur. No special configuration or privilege is required for the logging mechanism itself; it is a default behavior of the affected product versions.

Exploitation

An attacker does not need network access or authentication to the application server directly, but must gain access to the log files—either by having local system access to the server (e.g., as an authorized user or low-privileged process) or via other means such as a separate information disclosure that reveals log location or content [1]. The exploitation does not require user interaction beyond the attacker reading the file, and no special race condition or timing is necessary. The attack sequence involves locating the relevant log files and parsing them for sensitive strings that were written during normal application operation.

Impact

Successful exploitation leads to the disclosure of sensitive information, which may include credentials, internal file paths, database connection strings, or proprietary business data [1]. The confidentiality impact is high, but the attacker does not gain direct code execution or privilege escalation—though the leaked secrets could be leveraged in a broader attack chain. The scope of compromise is limited to the information contained in logs, which may vary widely depending on application configuration and user activity.

Mitigation

Dassault Systèmes has not yet released a specific patch version for this vulnerability in the available reference [1]. The advisory indicates that users should monitor the vendor’s security advisories page and support knowledge base for updated guidance. As a workaround, administrators should restrict access to log files to only authorized personnel, ensure logs are stored in a secure directory, and consider implementing log rotation and redaction mechanisms. No KEV listing has been published at this time.