CVE-2021-37939 — Sensitive Information Exposure in Kibana

CWE-200 — Sensitive Information Exposure CWE-319 — Cleartext Transmission of Sensitive Info5 documents5 sources

Severity

2.7LOWNVD

EPSS

0.1%

top 70.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedNov 18

Latest updateMay 24

Description

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages3 packages

▶NVDelastic/kibana7.8.0 — 7.15.2

▶npmelastic/kibana7.8.0 — 7.15.2

▶CVEListV5elastic/kibanaAll versions from 7.8.0 through 7.15.1

🔴Vulnerability Details

GHSA

Kibana Sensitive Data Disclosure↗2022-05-24

▶

OSV

Kibana Sensitive Data Disclosure↗2022-05-24

▶

CVEList

CVE-2021-37939: It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be in↗2021-11-18

▶

📋Vendor Advisories

Red Hat

kibana: HTTP server information disclosure via JIRA and IBM Resilient connectors↗2021-11-10

▶