CVE-2021-22139
published 2021-05-13CVE-2021-22139: Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request…
PriorityP431medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.00%
58.4th percentile
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | < 7.12.1 | 7.12.1 |
| elastic | kibana | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-823g-p8g4-q559: Kibana versions before 7
ghsa_unreviewed·2022-05-24
CVE-2021-22139 [MEDIUM] CWE-400 GHSA-823g-p8g4-q559: Kibana versions before 7
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Red Hat
kibana: denial of service via webhook actions due to a lack of timeout or a limit on the request size
vendor_redhat·2021-04-27·CVSS 6.5
CVE-2021-22139 [MEDIUM] CWE-770 kibana: denial of service via webhook actions due to a lack of timeout or a limit on the request size
kibana: denial of service via webhook actions due to a lack of timeout or a limit on the request size
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Statement: The kibana webhook actions are part of the X-Pack features [1].
In OpenShift Container Platform (OCP) the kibana components have X-Pack security features disabled by default. The X-Pack plugin can be used only in the enterprise version [2].
Hence the open source version is unaffected by this vulnerability.
[1] https://www.elastic.co/guide/en/kibana/current/webhook-action-ty
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-13
Published