#VU53541 Security features bypass in Kibana
Vulnerability identifier: #VU53541
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-254
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Kibana
Web applications /
Other software
Vendor: Elastic Stack
Description
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to Kibana contains an embedded version of the Chromium browser that the
Reporting feature uses to generate the downloadable reports. A remote user
with permissions to generate reports can render arbitrary HTML
with this Chromium browser and try to leverage known Chromium
vulnerabilities to conduct further attacks.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Kibana: 7.12.0 - 7.12.1, 7.11.0 - 7.11.2, 7.10.0 - 7.10.2, 7.9.0 - 7.9.3, 7.8.0 - 7.8.1, 7.7.0 - 7.7.1, 7.6.0 - 7.6.2, 7.5.0 - 7.5.2, 7.4.0 - 7.4.2, 7.3.0 - 7.3.2, 7.2.0 - 7.2.1, 7.1.0 - 7.1.1, 7.0.0 - 7.0.1
External links
http://www.elastic.co/community/security#ESA-2021-12
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
