• EnglishEspañol日本語한국어Português
  • Log inStart now

Security Bulletin NR20-01

Summary

A security update for the .NET agent corrects an issue where full SQL queries may be sent to the agent log.

Release date: January 16, 2020

Vulnerability identifier: NR20-01

Priority: Medium

Affected software

The following New Relic agent versions are affected:

Name

Affected version

Remediated version

.NET Core agent

5.16.71.0 - 8.21.34.0

8.23.107.0

.NET Framework agent

5.16.71.0 - 8.21.34.0

6.25.0.0

Vulnerability information

In order to generate explain plans, a copy of the SQL query is created and the query is reissued with a request for the execution plan. If the explain plan fails, the agent may log the full SQL statement which could include the parameter values.

Mitigating factors

The agent will only log this information when set to the DEBUG or FINEST logging levels.

Workarounds

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.