CVE-2021-37939
published 2021-11-18CVE-2021-37939: It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be…
PriorityP49low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
EPSS
0.44%
35.3th percentile
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | — | — |
| elastic | kibana | >= 7.8.0 < 7.15.2 | 7.15.2 |
| elastic | kibana | >= 7.8.0 < 7.15.2 | 7.15.2 |
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kibana: HTTP server information disclosure via JIRA and IBM Resilient connectors
vendor_redhat·2021-11-10·CVSS 2.7
CVE-2021-37939 [LOW] CWE-319 kibana: HTTP server information disclosure via JIRA and IBM Resilient connectors
kibana: HTTP server information disclosure via JIRA and IBM Resilient connectors
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
An information disclosure flaw was found in kibana. A malicious user with the ability to create connectors could utilize the JIRA and IBM Resilient connectors to view limited HTTP response data on hosts accessible to the cluster.
Package: openshift-logging/kibana6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: kibana
GHSA
Kibana Sensitive Data Disclosure
ghsa·2022-05-24
CVE-2021-37939 [MEDIUM] CWE-319 Kibana Sensitive Data Disclosure
Kibana Sensitive Data Disclosure
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
OSV
Kibana Sensitive Data Disclosure
osv·2022-05-24
CVE-2021-37939 [MEDIUM] Kibana Sensitive Data Disclosure
Kibana Sensitive Data Disclosure
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-11-18
Published