CVE-2021-22143: 
C# vulnerability analysis and mitigation

The Elastic APM .NET Agent vulnerability (CVE-2021-22143) is an information disclosure issue discovered and disclosed in June 2021. The vulnerability affects all versions of Elastic APM .NET Agent prior to version 1.10.0. The flaw allows sensitive HTTP header information to leak when logging details during an application error. While the APM agent normally sanitizes sensitive HTTP header details before sending them to the APM server, this sanitization process could fail during an application error (Elastic Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 2.1 (LOW) with the vector string AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N, indicating adjacent network access, low attack complexity, high privileges required, user interaction required, unchanged scope, and low confidentiality impact with no impact on integrity or availability. The National Vulnerability Database (NVD) has assessed it with a slightly higher CVSS score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information contained in HTTP headers. During an application error, the vulnerability could result in unsanitized HTTP header details being sent to the APM server, potentially exposing sensitive data that should normally be sanitized (Elastic Advisory).

The recommended mitigation is to upgrade to Elastic APM .NET Agent version 1.10.0 or later, which contains the fix for this vulnerability. No alternative workarounds have been published (Elastic Advisory).