CVE-2023-46671 HIGH

CVE-2023-46671: Kibana Insertion of Sensitive Information into Log File

Vendor Elastic
Product Kibana
Weakness CWE-532 · Sensitive info in logs
Published December 13, 2023
Last update August 2, 2024

CVSS base score

8.0/10
Attack vector Adjacent
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).

Key dates

02Disclosure timeline

December 13, 2023 CVE published
August 2, 2024 Record updated