TLS Certificate Validation Flaw in Elastic APM Agent for Ruby
CVE-2019-7615
7.4HIGH
Summary
A security flaw exists in the Elastic APM agent for Ruby, specifically in its ability to validate TLS certificates. When configuring a trusted server CA certificate using the 'server_ca_cert' setting, the Ruby agent fails to appropriately verify the certificate provided by the APM server. This oversight may leave the application vulnerable to man-in-the-middle attacks, enabling unauthorized access to communications between the Ruby agent and the server, which could compromise sensitive data.
Affected Version(s)
Elastic APM agent for Ruby before 2.9.0
References
CVSS V3.1
Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved