Variable Name Clash Flaw in Elastic APM Agent for Python by Elastic
CVE-2019-7617

7.2HIGH

Key Information:

Vendor: Elastic
Status: Elastic Apm Agent For Python
Vendor: CVE Published:; 22 August 2019

Summary

The Elastic APM agent for Python, when executed as a CGI script prior to version 5.1.0, is susceptible to a variable name clash issue. A remote attacker who can manipulate proxy headers may exploit this vulnerability to redirect APM data to an unauthorized proxy server. This flaw underscores the importance of securing application performance monitoring tools to prevent data leakage and unauthorized access.

Affected Version(s)

Elastic APM agent for Python before 5.1.0

References

https://www.elastic.co/community/security/

x_refsource_MISC

https://discuss.elastic.co/t/elastic-apm-agent-for-python...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 22, 2019
Vulnerability Reserved
Feb 7, 2019