2066386 – (CVE-2022-23709) CVE-2022-23709 kibana: missing authorization issue (ESA-2022-03)

Bug 2066386 (CVE-2022-23709) - CVE-2022-23709 kibana: missing authorization issue (ESA-2022-03)

Summary: CVE-2022-23709 kibana: missing authorization issue (ESA-2022-03)

Keywords:
Status:	NEW
Alias:	CVE-2022-23709
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2072286 2072287 2072288 2072289 2072290 2072291 2072296
Blocks:	2066389
TreeView+	depends on / blocked

Reported:	2022-03-21 16:11 UTC by Patrick Del Bello
Modified:	2023-07-07 08:34 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2022-03-21 16:11:41 UTC

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.

https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447

Comment 2 Anten Skrabec 2022-04-05 23:09:28 UTC

Created puppet-kibana3 tracking bugs for this issue:

Affects: openstack-rdo [bug 2072296]

Note You need to log in before you can comment on or make changes to this bug.

aileenc
aos-bugs
bmontgom
chazlett
eglynn
eparis
ewolinet
gmalinko
janstey
jburrell
jcantril
jjoyce
jochrist
jokerman
jschluet
jwon
lhh
mburns
nstielau
rhos-maint
slinaber
sponnaga
spower
tvignaud
vkumar