Bug 2051419 (CVE-2022-23707)

Summary: CVE-2022-23707 Kibana: Cross-site scripting issue (ESA-2022-01)
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bmontgom, chazlett, dbecker, eparis, ewolinet, gmalinko, janstey, jburrell, jcantril, jjoyce, jochrist, jokerman, jschluet, jwon, lhh, lpeer, mburns, nstielau, rhos-maint, sclewis, slinaber, sponnaga, tvignaud, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kibana 7.17.0 Doc Type: If docs needed, set a value
Doc Text:
A Cross-Site Scripting (XSS) vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permission to create index patterns can inject malicious javascript into the index pattern, which could execute against other users.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2051714, 2051715, 2052293, 2052294, 2052295, 2052296, 2052297    
Bug Blocks: 2051420    

Description Avinash Hanwate 2022-02-07 08:28:12 UTC 
Kibana Cross-site scripting issue (ESA-2022-01)

   An XSS vulnerability was found in Kibana index patterns. Using this
   vulnerability, an authenticated user could bypass Kibana’s CSP to inject
   malicious javascript which could fire against a higher-level user.

   Affected Versions:

   Versions 7.5.1 through 7.16.3

   Solutions and Mitigations:

   Customers on affected versions should upgrade to the latest version of
   Kibana.
Comment 2 Anten Skrabec 2022-02-08 23:43:04 UTC 
Created puppet-kibana3 tracking bugs for this issue:

Affects: openstack-rdo [bug 2052293]