CVE-2022-23709Missing Authorization in Kibana

CWE-264CWE-862Missing Authorization4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 64.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedMar 3
Latest updateMar 4

Description

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDelastic/kibana7.7.07.17.1+1
CVEListV5elastic/kibanaVersions 7.7.0 through 7.17.0, and 8.0.0

🔴Vulnerability Details

2
GHSA
GHSA-6mp6-6x9r-hvp3: A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules2022-03-04
CVEList
CVE-2022-23709: A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules2022-03-03

📋Vendor Advisories

1
Red Hat
kibana: missing authorization issue (ESA-2022-03)2022-02-28
CVE-2022-23709 — Missing Authorization in Elastic | cvebase