CVE-2021-22136
published 2021-05-13CVE-2021-22136: In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being…
PriorityP410low3.5CVSS 3.1
AVPACLPRNUINSUCLILAN
EPSS
0.28%
19.9th percentile
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | < 6.8.15 | 6.8.15 |
| elastic | kibana | — | — |
| elastic | kibana | >= 7.0.0 < 7.12.0 | 7.12.0 |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
vendor_redhat3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kibana: xpack.security.session.idleTimeout setting timeout not being respected
vendor_redhat·2021-03-23·CVSS 3.5
CVE-2021-22136 [LOW] CWE-613 kibana: xpack.security.session.idleTimeout setting timeout not being respected
kibana: xpack.security.session.idleTimeout setting timeout not being respected
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
Statement: In OpenShift Container Platform (OCP) the kibana components have X-Pack security features disabled by default. The X-Pack plugin can be used only is an enterprise version [1].
Hence the open source version is unaffected by this vulnerability.
[1] https://www.elastic.co/subscriptions
Package: openshift-logging/kibana6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: k
GHSA
GHSA-w44m-x962-x72w: In Kibana versions before 7
ghsa_unreviewed·2022-05-24
CVE-2021-22136 [LOW] CWE-613 GHSA-w44m-x962-x72w: In Kibana versions before 7
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-13
Published