CVE-2021-22133 — LOW (2.4) — White Hats Nepal

Q: How severe is CVE-2021-22133?

CVE-2021-22133 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22133?

Check the references section above for vendor advisories and patch information. Affected products include: Elastic Apm Agent.

Vulnerability Description

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

CVSS Score

2.4

LOW

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Elastic	Apm Agent	< 1.11.0

Related Weaknesses (CWE)

CWE-532

References

https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263Release NotesVendor Advisory
https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263Release NotesVendor Advisory

FAQ

What is CVE-2021-22133?

CVE-2021-22133 is a vulnerability with a CVSS score of 2.4 (LOW). The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTT...

How severe is CVE-2021-22133?

CVE-2021-22133 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22133?

Check the references section above for vendor advisories and patch information. Affected products include: Elastic Apm Agent.