Elastic Kibana disclosure | CVE-2022-23711
NAME
Elastic Kibana disclosure
- Platforms Affected:
Elastic Kibana 7.8.0
Elastic Kibana 8.0.0
Elastic Kibana 7.17.2
Elastic Kibana 8.1.2 - Risk Level:
8.2 - Exploitability:
Unproven - Consequences:
Obtain Information
DESCRIPTION
Elastic Kibana could allow a remote attacker to obtain sensitive information, caused by a flaw in the optional monitoring.ui.elasticsearch.* settings. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information related to Elastic Stack monitoring in the Kibana page source, and use this information to launch further attacks against the affected system.
CVSS 3.0 Information
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Access Vector: Adjacent Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
- Remediation Level: Official Fix
MITIGATION
Refer to Elasticsearch ESA-2022-05 for patch, upgrade or suggested workaround information. See References.
- Reference Link:
https://discuss.elastic.co/t/kibana-7-17-3-and-8-1-3-security-update/302826 - Reference Link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23711
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
