Bug 2051419 (CVE-2022-23707) - CVE-2022-23707 Kibana: Cross-site scripting issue (ESA-2022-01)
Summary: CVE-2022-23707 Kibana: Cross-site scripting issue (ESA-2022-01)
Keywords:
Status: NEW
Alias: CVE-2022-23707
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2051714 2051715 2052293 2052294 2052295 2052296 2052297
Blocks: 2051420
TreeView+ depends on / blocked
 
Reported: 2022-02-07 08:28 UTC by Avinash Hanwate
Modified: 2023-07-07 08:28 UTC (History)
25 users (show)

Fixed In Version: kibana 7.17.0
Doc Type: If docs needed, set a value
Doc Text:
A Cross-Site Scripting (XSS) vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permission to create index patterns can inject malicious javascript into the index pattern, which could execute against other users.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2022-02-07 08:28:12 UTC 
Kibana Cross-site scripting issue (ESA-2022-01)

   An XSS vulnerability was found in Kibana index patterns. Using this
   vulnerability, an authenticated user could bypass Kibana’s CSP to inject
   malicious javascript which could fire against a higher-level user.

   Affected Versions:

   Versions 7.5.1 through 7.16.3

   Solutions and Mitigations:

   Customers on affected versions should upgrade to the latest version of
   Kibana.
Comment 2 Anten Skrabec 2022-02-08 23:43:04 UTC 
Created puppet-kibana3 tracking bugs for this issue:

Affects: openstack-rdo [bug 2052293]
Note You need to log in before you can comment on or make changes to this bug.