Skip to content

APM Java Agent Local Privilege Escalation issue

High severity GitHub Reviewed Published Nov 22, 2023 to the GitHub Advisory Database • Updated Nov 22, 2023

Package

maven co.elastic.apm:apm-agent-parent (Maven)

Affected versions

>= 1.18.0, < 1.27.1

Patched versions

1.27.1

Description

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.

References

Published by the National Vulnerability Database Nov 22, 2023
Published to the GitHub Advisory Database Nov 22, 2023
Reviewed Nov 22, 2023
Last updated Nov 22, 2023

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2021-37942

GHSA ID

GHSA-5xqm-hc45-f2g2

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.