It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
References
Link | Resource |
---|---|
https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077 | Mitigation Vendor Advisory |
https://www.elastic.co/community/security/ | Mitigation Vendor Advisory |
Configurations
History
22 Nov 2022, 20:28
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-18 23:15
Updated : 2024-02-04 23:14
NVD link : CVE-2021-37936
Mitre link : CVE-2021-37936
CVE.ORG link : CVE-2021-37936
JSON object : View
Products Affected
elastic
- kibana
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')