CVE-2021-22142Use of Unmaintained Third Party Components in Kibana

CWE-1104Use of Unmaintained Third Party ComponentsCWE-1021UI Misrepresentation / Clickjacking4 documents4 sources
Severity
8.8HIGHNVD
CNA6.6
EPSS
0.5%
top 35.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedNov 22

Description

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5elastic/kibana7.0.07.13.0
NVDelastic/kibana7.0.07.13.0

🔴Vulnerability Details

2
GHSA
GHSA-69j9-xj6j-fmpq: Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports2023-11-22
CVEList
Kibana Reporting vulnerabilities2023-11-22

📋Vendor Advisories

1
Red Hat
kibana: Use of Unmaintained Third Party Components2021-05-25
CVE-2021-22142 — Elastic Kibana vulnerability | cvebase