Описание
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.9.0 (исключая)
cpe:2.3:a:elastic:apm-agent-ruby:*:*:*:*:*:ruby:*:*
EPSS
Процентиль: 34%
0.00136
Низкий
7.4 High
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-295
CWE-295
Связанные уязвимости
CVSS3: 7.4
github
больше 3 лет назад
Elastic APM agent for Ruby vulnerable to Improper Certificate Validation
EPSS
Процентиль: 34%
0.00136
Низкий
7.4 High
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-295
CWE-295