Bug 2066386 (CVE-2022-23709) - CVE-2022-23709 kibana: missing authorization issue (ESA-2022-03)
Summary: CVE-2022-23709 kibana: missing authorization issue (ESA-2022-03)
Keywords:
Status: NEW
Alias: CVE-2022-23709
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2072296 2072286 2072287 2072288 2072289 2072290 2072291
Blocks: 2066389
TreeView+ depends on / blocked
 
Reported: 2022-03-21 16:11 UTC by Patrick Del Bello
Modified: 2023-07-07 08:34 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kibana. This issue allows users with read access to the Uptime feature to modify alerting rules, allowing them to create new or overwrite existing ones. However, any rules created this way are not enabled by default and allow the user to disable an existing, enabled alert rule.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2022-03-21 16:11:41 UTC 
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.

https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447
Comment 2 Anten Skrabec 2022-04-05 23:09:28 UTC 
Created puppet-kibana3 tracking bugs for this issue:

Affects: openstack-rdo [bug 2072296]
Note You need to log in before you can comment on or make changes to this bug.