Miggo Logo
Miggo Vulnerability Database
CVE-2021-22133

CVE-2021-22133: Information Disclosure in go.elastic.co/apm

2.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-22133
GHSA ID
GHSA-qqc5-rgcc-cjqh
EPSS Score
0.2296%
CWE
CWE-532
Published
5/18/2021
Updated
8/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
go.elastic.co/apmgo< 1.11.01.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing header sanitization during application panics. Analysis of commit dd3e8c5 shows:

  1. Error context initialization in error.go lacked sanitizedFieldNames assignment pre-fix
  2. Context.build() in context.go contained the sanitization logic but wasn't properly triggered for error contexts
  3. The fix added sanitizedFieldNames to error contexts and moved sanitization into Context.build() This indicates the error creation path (Tracer.newError) and context building (Context.build) were vulnerable when handling panic-induced errors due to missing sanitization field configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *l*sti* *PM ***nt *or *o v*rsions ***or* *.**.* **n l**k s*nsitiv* *TTP *****r in*orm*tion w**n lo**in* t** **t*ils *urin* *n *ppli**tion p*ni*. Norm*lly, t** *PM ***nt will s*nitiz* s*nsitiv* *TTP *****r **t*ils ***or* s*n*in* t** in*orm*tion to

Reasoning

T** vuln*r**ility st*mm** *rom missin* *****r s*nitiz*tion *urin* *ppli**tion p*ni*s. *n*lysis o* *ommit ******* s*ows: *. *rror *ont*xt initi*liz*tion in *rror.*o l**k** s*nitiz***i*l*N*m*s *ssi*nm*nt pr*-*ix *. *ont*xt.*uil*() in *ont*xt.*o *ont*in