CVE-2021-37942

HIGH

Elastic APM Java Agent 1.18.0-1.26.10 - Local Privilege Escalation via Malicious Plugin Attachment

Title source: llm

Description

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.

References (2)

Core 2

Core References

Vendor Advisory

https://discuss.elastic.co/t/apm-java-agent-security-update/291355

Product

https://www.elastic.co/community/security

Scores

CVSS v3 7.0

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (3)

co.elastic.apm/apm-agent-parent 1.18.0 - 1.27.1Maven

co.elastic.apm/elastic-apm-agent 1.18.0 - 1.27.1Maven

elastic/apm_java_agent 1.18.0 - 1.27.0

Published Nov 22, 2023

Tracked Since Feb 18, 2026