High severityNVD Advisory· Published Nov 22, 2023· Updated Aug 4, 2024

APM Java Agent Local Privilege Escalation

CVE-2021-37942

Description

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Local privilege escalation in Elastic APM Java agent allows a user to attach a malicious plugin and execute code with higher permissions.

Vulnerability

Description A local privilege escalation vulnerability exists in the Elastic APM Java agent, where a user on the system can attach a malicious plugin to an application running the agent. This allows the attacker to execute code at a potentially higher level of permissions than their user typically has access to [1][4].

Exploitation

An attacker with local access and low privileges can exploit this vulnerability by attaching a malicious plugin to an application that uses the APM Java agent. The attack complexity is high, but no user interaction is required, and the scope remains unchanged [4].

Impact

Successful exploitation can lead to full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The attacker can execute arbitrary code with elevated privileges, potentially gaining control over the affected system [4].

Mitigation

Elastic has released version 1.27.1 of the APM Java agent, which addresses this issue. Users are advised to update to 1.27.1 or newer, or use the unaffected -javaagent-based installation method. The vulnerability affects versions 1.18.0 through 1.27.0 [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
co.elastic.apm:apm-agent-parentMaven	>= 1.18.0, < 1.27.1	1.27.1
co.elastic.apm:elastic-apm-agentMaven	>= 1.18.0, < 1.27.1	1.27.1

Affected products

ghsa-coords2 versions
pkg:maven/co.elastic.apm/apm-agent-parent pkg:maven/co.elastic.apm/elastic-apm-agent
>= 1.18.0, < 1.27.1+ 1 more
- (no CPE)range: >= 1.18.0, < 1.27.1
- (no CPE)range: >= 1.18.0, < 1.27.1
Elastic/Elastic Agentcpe-rescue
Range: 1.18.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5xqm-hc45-f2g2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37942ghsaADVISORY
discuss.elastic.co/t/apm-java-agent-security-update/291355ghsaWEB
www.elastic.co/community/securityghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000