CVE-2023-46671 — Log File Information Exposure in Kibana

CWE-532 — Log File Information Exposure CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

CNA8.0

EPSS

0.2%

top 55.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedDec 13

Description

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5elastic/kibana8.0.0 — 8.11.1

▶NVDelastic/kibana8.0.0 — 8.11.1

🔴Vulnerability Details

GHSA

GHSA-6x3f-mgrr-9xvm: An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error↗2023-12-13

▶

CVEList

Kibana Insertion of Sensitive Information into Log File↗2023-12-13

▶

📋Vendor Advisories

Red Hat

kibana: Insertion of Sensitive Information into Log File (ESA-2023-25)↗2023-11-14

▶