Elastic APM agent for Python client CGI proxy redirection flaw

2022-05-2416:54:36

Google

osv.dev

0.001 Low

EPSS

Percentile

51.0%

JSON

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

CPENameOperatorVersion
elastic-apmeq4.2.1
elastic-apmeq2.0.0
elastic-apmeq1.0.0.dev0
elastic-apmeq2.0.1
elastic-apmeq4.1.0
elastic-apmeq5.0.0
elastic-apmeq2.2.0
elastic-apmeq1.0.0
elastic-apmeq1.0.0.dev1
elastic-apmeq2.1.0

Name	Operator	Version
elastic-apm	eq	4.2.1
elastic-apm	eq	2.0.0
elastic-apm	eq	1.0.0.dev0
elastic-apm	eq	2.0.1
elastic-apm	eq	4.1.0
elastic-apm	eq	5.0.0
elastic-apm	eq	2.2.0
elastic-apm	eq	1.0.0
elastic-apm	eq	1.0.0.dev1
elastic-apm	eq	2.1.0