PT-2021-14861 · Elastic · Apm Agent For Go

Rob Liebowitz

Published

2021-02-10

Updated

2021-05-18

CVE-2021-22133

CVSS v2.0

2.7

Low

Vector

AV:A/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Elastic APM agent for Go versions prior to 1.11.0

Description The issue arises when the application panics, potentially leading to the leakage of sensitive HTTP header information. Normally, the APM agent sanitizes sensitive HTTP header details before sending them to the APM server. However, during an application panic, it is possible that these headers will not be sanitized before being sent.

Recommendations For Elastic APM agent for Go versions prior to 1.11.0, update to version 1.11.0 or later to resolve the issue. As a temporary workaround, consider implementing additional logging sanitization measures to minimize the risk of sensitive HTTP header information leakage during application panics.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2021-22133

GHSA-QQC5-RGCC-CJQH

GO-2022-0706

Affected Products

Apm Agent For Go

PT-2021-14861 · Elastic · Apm Agent For Go

CVE-2021-22133

Weakness Enumeration

Related Identifiers

Affected Products

References · 12