Variable Name Clash Flaw in Elastic APM Agent for Python by Elastic
CVE-2019-7617

7.2HIGH

Key Information:

Vendor
Elastic
Vendor
CVE Published:
22 August 2019

Summary

The Elastic APM agent for Python, when executed as a CGI script prior to version 5.1.0, is susceptible to a variable name clash issue. A remote attacker who can manipulate proxy headers may exploit this vulnerability to redirect APM data to an unauthorized proxy server. This flaw underscores the importance of securing application performance monitoring tools to prevent data leakage and unauthorized access.

Affected Version(s)

Elastic APM agent for Python before 5.1.0

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.