CVE-2021-22133

LOW

Elastic APM Agent for Go < 1.11.0 - Sensitive Information Exposure via Panic Log

Title source: llm

Description

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

References (1)

Core 1

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252

Scores

CVSS v3 2.4

EPSS 0.0052

EPSS Percentile 40.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-532

Status published

Products (2)

elastic/apm_agent < 1.11.0

go.elastic.co/apm 0 - 1.11.0Go

Published Feb 10, 2021

Tracked Since Feb 18, 2026