CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22139
https://notcve.org/view.php?id=CVE-2021-22139
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users. Kibana versiones anteriores a 7.12.1, contienen una vulnerabilidad de denegación de servicio que se encontró en las acciones de webhook debido a una falta de tiempo de espera o un límite en el tamaño de la petición. Un atacante con permisos para crear acciones de webhook podría agotar el grupo de conexiones de host de Kibana, haciendo que Kibana no esté disponible para todos los demás usuarios • https://discuss.elastic.co/t/7-12-1-security-update/271433 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22138
https://notcve.org/view.php?id=CVE-2021-22138
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data. En Logstash versiones posteriores a 6.4.0 y anteriores a 6.8.15 y 7.12.0, se encontró un fallo de comprobación del certificado TLS en la funcionalidad de monitoreo. Cuando se especifica un certificado CA en un servidor confiable, Logstash no verificaba apropiadamente el certificado devuelto por el servidor de monitoreo. • https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125 https://security.netapp.com/advisory/ntap-20210629-0001 • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22137 – elasticsearch: Document disclosure flaw when Document or Field Level Security is used
https://notcve.org/view.php?id=CVE-2021-22137
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. En Elasticsearch versiones anteriores a 7.11.2 y la 6.8.15, se encontró un fallo en la divulgación del documento cuando Document o Field Level Security es usado. • https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125 https://security.netapp.com/advisory/ntap-20210625-0003 https://access.redhat.com/security/cve/CVE-2021-22137 https://bugzilla.redhat.com/show_bug.cgi?id=1943189 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-281: Improper Preservation of Permissions •
CVSS: 3.6EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22136
https://notcve.org/view.php?id=CVE-2021-22136
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out. En Kibana versiones anteriores a 7.12.0 y 6.8.15, se detectó un fallo en el timeout de la sesión donde la configuración xpack.security.session.idleTimeout no está siendo respetada. Esto fue causado por actividades de sondeo en segundo plano que extendieron involuntariamente las sesiones de los usuarios autenticados, impidiendo que se agotara el timeout de una sesión de usuario • https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125 • CWE-613: Insufficient Session Expiration •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22135 – elasticsearch: Document disclosure flaw in the Elasticsearch suggester
https://notcve.org/view.php?id=CVE-2021-22135
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view. Elasticsearch versiones anteriores a 7.11.2 y 6.8.15, contienen un fallo en la divulgación de documentos que se encontró en la API suggester y profile de Elasticsearch cuando Document and Field Level Security está habilitada. La API suggester y profile normalmente están deshabilitadas para un índice cuando la seguridad a nivel de documento está habilitada en el índice. • https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125 https://security.netapp.com/advisory/ntap-20210625-0003 https://access.redhat.com/security/cve/CVE-2021-22135 https://bugzilla.redhat.com/show_bug.cgi?id=1943184 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •