When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
[
{
"product": "Elastic APM agent for Python",
"vendor": "Elastic",
"versions": [
{
"status": "affected",
"version": "before 5.1.0"
}
]
}
]