CVE-2021-22136Insufficient Session Expiration in Kibana

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
3.5LOWNVD
EPSS
0.0%
top 84.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedMay 13
Latest updateMay 24

Description

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 0.9 | Impact: 2.5

Affected Packages2 packages

NVDelastic/kibana7.0.07.12.0+1
CVEListV5elastic/kibanabefore 7.12.0 and 6.8.15

🔴Vulnerability Details

2
GHSA
GHSA-w44m-x962-x72w: In Kibana versions before 72022-05-24
CVEList
CVE-2021-22136: In Kibana versions before 72021-05-13

📋Vendor Advisories

1
Red Hat
kibana: xpack.security.session.idleTimeout setting timeout not being respected2021-03-23
CVE-2021-22136 — Insufficient Session Expiration | cvebase