Base Score

HIGH7.2

CVE-2019-7617

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

VectorNETWORK

Published Bysecurity@elastic.co

Published DateAug 22, 2019, 17:15

Affected Versions(1)

elastic-apm(PyPI)

Introduced0

Fixed5.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
elastic-apm(PyPI)	0	5.1.0	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

HIGH7.2

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

7.2

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE