CVE-2021-37939: Infoleak
First published: Thu Nov 18 2021(Updated: )
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | >=7.8.0<7.15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID is CVE-2021-37939.
What is the severity of CVE-2021-37939?
The severity of CVE-2021-37939 is medium.
Which software is affected by CVE-2021-37939?
Elastic Kibana versions 7.8.0 to 7.15.2 are affected by CVE-2021-37939.
How can a malicious user exploit CVE-2021-37939?
A malicious user with the ability to create connectors could exploit CVE-2021-37939 to return HTTP response data on internal hosts that may be hidden from public view.
Is there a fix available for CVE-2021-37939?
Yes, a security update is available for Kibana version 7.15.2.
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/tags
- agent/event
- agent/description
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/7.8.0