Lucene search

[email protected]CVE-2021-37939

HistoryNov 18, 2021 - 4:15 p.m.

CVE-2021-37939

2021-11-1816:15:08

CWE-319

CWE-200

[email protected]

web.nvd.nist.gov

cve-2021-37939

kibana

jira connector

ibm resilient connector

http response data

internal hosts

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.4 Low

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.

Affected configurations

NVD

Node

elastickibanaRange7.8.0–7.15.2

CPENameOperatorVersion
elastic:kibanaelastic kibanalt7.15.2

CPE	Name	Operator	Version
elastic:kibana	elastic kibana	lt	7.15.2

CNA Affected

[
  {
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "status": "affected",
        "version": "All versions from 7.8.0 through 7.15.1"
      }
    ]
  }
]