Summary
A security update to the browser agent will detect file:// URI schemes and stop any further execution and data collection if found.
Release date: March 9th, 2021
Vulnerability identifier: NR21-01
Priority: Medium
Affected software
The following New Relic agent versions are affected:
Name | Affected version | Remediated version |
|---|---|---|
Browser agent | < v1205 | v1208 |
Vulnerability information
Browsers can render local files on a host machine by using the file:// URI scheme outlined in RFC 8089. During the agent's harvest cycle , this file:// URI will be recorded as the pageURL datapoint. This may result in the collection of potentially sensitive data included in the local file path, such as directory path for the saved webpage and any name or company information in the directory path. More information regarding the file:// URI can be found in the RFC 8089
Mitigating factors
A person must both download a webpage with the browser agent configured and open the file in a browser. HTML files loaded without the file:// URI scheme are not affected.
Workarounds
Report security vulnerabilities to New Relic
New Relic is committed to the security of our customers and your data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see our documentation about reporting security vulnerabilities.