{"containers": {"cna": {"affected": [{"product": "Kibana", "vendor": "Elastic", "versions": [{"status": "affected", "version": "All versions from 7.8.0 through 7.15.1"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that Kibana\u2019s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-18T15:09:27", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2021-37939", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kibana", "version": {"version_data": [{"version_value": "All versions from 7.8.0 through 7.15.1"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that Kibana\u2019s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923", "refsource": "MISC", "url": "https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:30:09.049Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2021-37939", "datePublished": "2021-11-18T15:09:27", "dateReserved": "2021-08-03T00:00:00", "dateUpdated": "2024-08-04T01:30:09.049Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "73E895D4-5697-4C82-BC18-DA8E42361B95", "versionEndExcluding": "7.15.2", "versionStartIncluding": "7.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered that Kibana\u2019s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster."}, {"lang": "es", "value": "Se ha detectado que el conector JIRA de Kibana y el conector Resilient de IBM pueden ser usados para devolver datos de respuesta HTTP en hosts internos, que pueden estar intencionadamente ocultos a la vista del p\u00fablico. Usando esta vulnerabilidad, un usuario malicioso con la capacidad de crear conectores, podr\u00eda usar estos conectores para ver datos de respuesta HTTP limitados en hosts accesibles al cluster."}], "id": "CVE-2021-37939", "lastModified": "2021-11-23T17:21:06.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-18T16:15:08.963", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: HTTP server information disclosure via JIRA and IBM Resilient connectors", "id": "2027187", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027187"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-319", "details": ["It was discovered that Kibana\u2019s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.", "An information disclosure flaw was found in kibana. A malicious user with the ability to create connectors could utilize the JIRA and IBM Resilient connectors to view limited HTTP response data on hosts accessible to the cluster."], "name": "CVE-2021-37939", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-11-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-37939\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37939\nhttps://discuss.elastic.co/t/kibana-7-15-2-security-update/288923"], "threat_severity": "Low", "upstream_fix": "kibana 7.15.2"}