CVE-2021-22143

2023-11-2202:15:41

CWE-532

CWE-200

[email protected]

web.nvd.nist.gov

cve-2021-22143

elastic apm

.net agent

sensitive data leakage

http header

application error

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

JSON

The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent.

Affected configurations

NVD

Node

elasticapm_.net_agentRange<1.10.0

CPENameOperatorVersion
elastic:apm_.net_agentelastic apm .net agentlt1.10.0

CPE	Name	Operator	Version
elastic:apm_.net_agent	elastic apm .net agent	lt	1.10.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Elastic APM .NET Agent",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "1.10.0",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "semver"
      }
    ]
  }
]