Bug 2077601 (CVE-2022-23711) - CVE-2022-23711 kibana: Exposure of Sensitive Information (ESA-2022-05)
Summary: CVE-2022-23711 kibana: Exposure of Sensitive Information (ESA-2022-05)
Keywords:
Status: NEW
Alias: CVE-2022-23711
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2077602 2078654 2078655
Blocks: 2077600
TreeView+ depends on / blocked
 
Reported: 2022-04-21 17:52 UTC by Nick Tait
Modified: 2023-07-07 08:35 UTC (History)
26 users (show)

Fixed In Version: kibana 7.17.3, kibana 8.1.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kibana that could result in an attacker exposing sensitive information related to Elastic Stack monitoring in the Kibana page source, if a user has set the optional monitoring.ui.elasticsearch.* settings. This could result in a loss of confidentiality and integrity.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Nick Tait 2022-04-21 17:52:36 UTC 
A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring 4 features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information.

The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring.

The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.
Comment 1 Nick Tait 2022-04-21 17:52:56 UTC 
Created puppet-kibana3 tracking bugs for this issue:

Affects: openstack-rdo [bug 2077602]
Note You need to log in before you can comment on or make changes to this bug.