2246915 – (CVE-2023-31422) CVE-2023-31422 kibana: Kibana Insertion of Sensitive Information into Log File

Bug 2246915 (CVE-2023-31422) - CVE-2023-31422 kibana: Kibana Insertion of Sensitive Information into Log File

Summary: CVE-2023-31422 kibana: Kibana Insertion of Sensitive Information into Log File

Keywords:
Status:	NEW
Alias:	CVE-2023-31422
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2246916
TreeView+	depends on / blocked

Reported:	2023-10-30 05:20 UTC by Avinash Hanwate
Modified:	2025-03-17 23:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Kibana 8.10.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-10-30 05:20:01 UTC

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.

https://www.elastic.co/community/security
https://discuss.elastic.co/t/kibana-8-10-1-security-update/343287

Note You need to log in before you can comment on or make changes to this bug.