Lucene search

[email protected]CVE-2021-22133

HistoryFeb 10, 2021 - 7:15 p.m.

CVE-2021-22133

2021-02-1019:15:12

CWE-532

[email protected]

web.nvd.nist.gov

100

cve-2021-22133

elastic

apm

agent

http

header

information

leak

application

panic

security

2.7 Low

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:S/C:P/I:N/A:N

2.4 Low

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.4 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

Affected configurations

NVD

Node

elasticapm_agentRange<1.11.0go

CPENameOperatorVersion
elastic:apm_agentelastic apm agentlt1.11.0

CPE	Name	Operator	Version
elastic:apm_agent	elastic apm agent	lt	1.11.0

CNA Affected

[
  {
    "product": "Elastic APM Agent for Go",
    "vendor": "Elastic",
    "versions": [
      {
        "status": "affected",
        "version": "before 1.11.0"
      }
    ]
  }
]