Summary
If the Node.js agent is configured to exclude the request.uri
attribute, it will still capture the URI in transaction traces. This can be problematic for certain customers in environments where sensitive information is included in the URI.
Release date: August 20, 2020
Vulnerability identifier: NR20-02
Priority: Medium
Affected software
The following New Relic agent versions are affected:
Name | Affected version | Remediated version |
---|---|---|
Node.js agent | < 6.12.1 | 6.12.1 |
Vulnerability information
Even when users configure the Node.js agent to exclude the request.uri
attribute, the agent will still capture the URI in transaction traces. This allows authenticated account users to view the URI anywhere transaction trace details can be viewed via New Relic One or queries. This includes (but is not limited to) the Transaction traces section of the Transactions page, the Transaction trace details, and the query builder in the UI.
Mitigating factors
This will only affect Node.js agents configured to exclude the request.uri
attribute.
Workarounds
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.
For more help
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's and and documentation.