CVE-2019-7617

7.2HIGH

Key Information:

Vendor: Elastic
Status: Elastic Apm Agent For Python
Vendor: CVE Published:; 22 August 2019

Summary

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

Affected Version(s)

Elastic APM agent for Python before 5.1.0

References

https://www.elastic.co/community/security/

x_refsource_MISC

https://discuss.elastic.co/t/elastic-apm-agent-for-python...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 22, 2019
Vulnerability Reserved
Feb 7, 2019