CVE-2022-23711

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.

Una vulnerabilidad en Kibana podría exponer información confidencial relacionada con la monitorización de Elastic Stack en la fuente de la página de Kibana. Las funciones de monitorización de Elastic Stack proporcionan una forma de mantener el pulso de la salud y el rendimiento de su clúster de Elasticsearch. La autenticación con una instancia vulnerable de Kibana no es necesaria para visualizar la información expuesta. La exposición de la monitorización de Elastic Stack sólo afecta a usuarios que han establecido cualquiera de los ajustes opcionales de monitoring.ui.elasticsearch.* para configurar Kibana como una interfaz de usuario remota para la monitorización de Elastic Stack. La misma vulnerabilidad en Kibana podría exponer otra información no confidencial interna de la aplicación en la fuente de la página

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-04-21 CVE Published
2023-11-12 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://discuss.elastic.co/t/kibana-7-17-3-and-8-1-3-security-update/302826	2022-05-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Elastic Search vendor "Elastic"		Kibana Search vendor "Elastic" for product "Kibana"				>= 7.2.1 < 7.17.3 Search vendor "Elastic" for product "Kibana" and version " >= 7.2.1 < 7.17.3"		-		Affected
Elastic Search vendor "Elastic"		Kibana Search vendor "Elastic" for product "Kibana"				>= 8.0.0 < 8.1.3 Search vendor "Elastic" for product "Kibana" and version " >= 8.0.0 < 8.1.3"		-		Affected