First published: Thu Nov 18 2021(Updated: )
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
Credit: bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Kibana | >=7.8.0<7.15.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-37939.
The severity of CVE-2021-37939 is medium.
Elastic Kibana versions 7.8.0 to 7.15.2 are affected by CVE-2021-37939.
A malicious user with the ability to create connectors could exploit CVE-2021-37939 to return HTTP response data on internal hosts that may be hidden from public view.
Yes, a security update is available for Kibana version 7.15.2.