Security Bulletin NR19-02

Summary

Request parameters are added as segment attributes, even when the agent is configured with High-security mode or Configurable Security Policies. This may result in unexpected data being collected.

Release date: April 1, 2019

Vulnerability identifier: NR19-02

Priority: Medium

Affected software

The following New Relic agent versions are affected:

Name

Affected version

Notes

Remediated version

Node.js agent

3.0.0-5.6.2

5.6.3

Vulnerability information

By design, request parameters are added as segment attributes. Request parameters should be ignored when the agent is configured with High-security mode or the attributes_include Configurable Security Policy.

Mitigating factors

Only affects agents configured with High-security mode or the attributes_include Configurable Security Policy.

Workarounds

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.