High severityNVD Advisory· Published Dec 8, 2021· Updated Aug 4, 2024

CVE-2021-37941

Description

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled option

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
elastic-apmPyPI	>= 1.10.0, < 1.27.0	1.27.0

Affected products

ghsa-coords
pkg:pypi/elastic-apm
Range: >= 1.10.0, < 1.27.0
Elastic/APM Java agentcpe-rescue
Range: 1.10.0 through 1.26.0

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r562-m862-63w3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37941ghsaADVISORY
discuss.elastic.co/t/apm-java-agent-security-update/289627ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000