CVE-2021-37941
APM Java Agent Local Privilege Escalation
7.8
HIGH
CVSS 3.1
EPSS 0.03%
Description
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled option
How to fix CVE-2021-37941
To remediate CVE-2021-37941, upgrade the affected package to a fixed version below.
- —upgrade to 1.27.0 or later
Is CVE-2021-37941 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.10.0, < 1.27.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |