CVE-2021-22133
First published: Thu Feb 04 2021(Updated: )
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
Credit: bressers@elastic.co bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/go.elastic.co/apm | <1.11.0 | 1.11.0 |
| Elastic Apm Agent | <1.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-22133
- https://github.com/elastic/apm-agent-go/commit/c5c7e21aa26a6def7790f74fbceed792ad47ef35
- https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252
- https://github.com/elastic/apm-agent-go/compare/v1.10.0...v1.11.0
- https://github.com/elastic/apm-agent-go/pull/888
- https://github.com/elastic/apm-agent-go/commit/dd3e8c593580e7b80a98b57e1cc6e017e56747b4
- https://pkg.go.dev/vuln/GO-2022-0706
- https://github.com/advisories/GHSA-qqc5-rgcc-cjqh (Advisory)
- https://access.redhat.com/errata/RHSA-2021:2438
- https://access.redhat.com/security/cve/cve-2021-22133
- https://bugzilla.redhat.com/show_bug.cgi?id=1942553
- https://www.cve.org/CVERecord?id=CVE-2021-22133 https://nvd.nist.gov/vuln/detail/CVE-2021-22133 https://discuss.elastic.co/t/elastic-apm-agent-for-go-1-11-0-security-update/263252
Frequently Asked Questions
What is CVE-2021-22133?
CVE-2021-22133 is a vulnerability in the Elastic APM agent for Go versions before 1.11.0 that can leak sensitive HTTP header information.
What is the severity of CVE-2021-22133?
The severity of CVE-2021-22133 is low, with a severity value of 2.4.
How does CVE-2021-22133 impact affected software?
CVE-2021-22133 impacts the Elastic APM agent for Go versions before 1.11.0, allowing the leakage of sensitive HTTP header information during an application panic.
How can I fix CVE-2021-22133?
To fix CVE-2021-22133, update to version 1.11.0 or later of the Elastic APM agent for Go.
What is the Common Weakness Enumeration (CWE) ID for CVE-2021-22133?
The CWE ID for CVE-2021-22133 is 532.
- collector/github-advisory-latest
- alias/GHSA-qqc5-rgcc-cjqh
- alias/CVE-2021-22133
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/tags
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/go
- vendor/elastic
- canonical/elastic apm agent