2251300 – (CVE-2023-46671) CVE-2023-46671 kibana: Insertion of Sensitive Information into Log File (ESA-2023-25)

Bug 2251300 (CVE-2023-46671) - CVE-2023-46671 kibana: Insertion of Sensitive Information into Log File (ESA-2023-25)

Summary: CVE-2023-46671 kibana: Insertion of Sensitive Information into Log File (ESA-...

Keywords:
Status:	NEW
Alias:	CVE-2023-46671
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2251301
TreeView+	depends on / blocked

Reported:	2023-11-24 04:18 UTC by Pedro Sampaio
Modified:	2025-03-17 23:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:	kibana 7.17.15, kibana 8.11.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-11-24 04:18:42 UTC

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system 64 user, API Keys, and credentials of Kibana end-users.

The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions). In Elastic Cloud environments less than 5% of clusters are identified to have been affected.

References:

https://discuss.elastic.co/t/8-11-1-7-17-15-security-update-esa-2023-25/347149

Note You need to log in before you can comment on or make changes to this bug.