Variable Name Clash Flaw in Elastic APM Agent for Python by Elastic
CVE-2019-7617
7.2HIGH
Summary
The Elastic APM agent for Python, when executed as a CGI script prior to version 5.1.0, is susceptible to a variable name clash issue. A remote attacker who can manipulate proxy headers may exploit this vulnerability to redirect APM data to an unauthorized proxy server. This flaw underscores the importance of securing application performance monitoring tools to prevent data leakage and unauthorized access.
Affected Version(s)
Elastic APM agent for Python before 5.1.0
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved