Security features bypass in Kibana - CVE-2021-22142

 

Security features bypass in Kibana - CVE-2021-22142

Published: May 25, 2021


Vulnerability identifier: #VU53541
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22142
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. A remote user with permissions to generate reports can render arbitrary HTML with this Chromium browser and try to leverage known Chromium vulnerabilities to conduct further attacks.


How to mitigate CVE-2021-22142

Install updates from vendor's website.

Sources