Bug 2292364 (CVE-2024-23443)

Summary: CVE-2024-23443 kibana: uncontrolled resource consumption
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, eglynn, jcantril, jjoyce, jschluet, kaycoth, lhh, lsvaty, mburns, mgarciac, pgrist, rhos-maint, slinaber, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Kibana. A high-privileged user, allowed to create custom osquery packs, could affect the availability of Kibana by uploading a maliciously crafted osquery pack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2292363    

Description Rohit Keshri 2024-06-14 06:53:08 UTC 
Kibana uncontrolled resource consumption (ESA-2024-11)

   A high-privileged user, allowed to create custom osquery packs could
   affect the availability of Kibana by uploading a maliciously crafted
   osquery pack.

  Affected Versions:

   Kibana versions before 7.17.22 and before 8.14.0

  Solutions and Mitigations:

   The issue is resolved in version 7.17.22 and 8.14.0

   Severity: CVSSv3.1: 4.9(Medium) -
   CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

   CVE ID: CVE-2024-23443

   1 post - 1 participant

   Read full topic

Reference:
https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update-esa-2024-11/361460