CVE-2023-46671: Kibana Insertion of Sensitive Information into Log File

First published: Wed Dec 13 2023(Updated: )

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).

Credit: bressers@elastic.co

Affected Software	Affected Version	How to fix
Elastic Kibana	>=8.0.0<8.11.1

Never miss a vulnerability like this again

Reference Links

https://discuss.elastic.co/t/8-11-1-7-17-15-security-update-esa-2023-25/347149

collector/mitre-cve
collector/nvd-api
vendor/elastic
product/kibana
canonical/elastic kibana

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.