CVE-2021-37941 is a vulnerability in Elastic Apm Agent
Published on December 8, 2021
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled option
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2021-37941
Want to know whenever a new CVE is published for Elastic Apm Agent? stack.watch will email you.
Affected Versions
Elastic APM Java Agent Version 1.10.0 through 1.26.0 is affected by CVE-2021-37941Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.