Lucene search

[email protected]CVE-2021-22143

HistoryNov 22, 2023 - 2:15 a.m.

CVE-2021-22143

2023-11-2202:15:00

CWE-532

[email protected]

web.nvd.nist.gov

cve-2021-22143

elastic apm

.net agent

sensitive data leakage

http header

application error

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

13.1%

JSON

The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent.

CPENameOperatorVersion
elastic:apm_.net_agentelastic apm .net agentlt1.10.0

CPE	Name	Operator	Version
elastic:apm_.net_agent	elastic apm .net agent	lt	1.10.0

References

discuss.elastic.co/t/elastic-apm-net-agent-1-10-0-security-update/274668

www.elastic.co/community/security

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

13.1%

JSON

Related for CVE-2021-22143

veracode1 osv2 github1 prion1