Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2023-46675
HistoryDec 13, 2023 - 7:15 a.m.

CVE-2023-46675

2023-12-1307:15:23
CWE-532
[email protected]
web.nvd.nist.gov
18
elastic
kibana
cve-2023-46675
information security
vulnerability
data breach
log management
error logging

8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete.

Affected configurations

NVD
Node
elastickibanaRange7.13.07.17.16
OR
elastickibanaRange8.0.08.11.2

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "7.17.16",
        "status": "affected",
        "version": "7.13.0",
        "versionType": "semver"
      },
      {
        "lessThan": "8.11.2",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Related

cvelist 1
nvd 1
prion 1
veracode 1
nessus 1
cvelist
cvelist
CVE-2023-46675 Kibana Insertion of Sensitive Information into Log File
2023-12-13 07:02:07
nvd
nvd
CVE-2023-46675
2023-12-13 07:15:23
prion
prion
Authorization
2023-12-13 07:15:00
veracode
veracode
Insertion Of Sensitive Information Into Log File
2024-03-18 10:04:07
nessus
nessus
Elastic Kibana 7.13.0 < 7.17.16, 8.0 < 8.11.2 Information Disclosure (ESA-2023-27)
2023-12-20 00:00:00

8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON
Related for CVE-2023-46675
cvelist1nvd1prion1veracode1nessus1