CVE-2022-23707 - Vulnerability Details - OpenCVE

An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00511.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Kibana

Configuration 1 [-]

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-28646	An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215
https://nvd.nist.gov/vuln/detail/CVE-2022-23707
https://www.cve.org/CVERecord?id=CVE-2022-23707

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2022-02-11T17:40:27

Updated: 2024-08-03T03:51:45.679Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23707

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-02-11T18:15:11.797

Modified: 2024-11-21T06:49:08.920

Link: CVE-2022-23707

Redhat

Severity : Moderate

Publid Date: 2022-02-03T00:00:00Z

Links: CVE-2022-23707 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Kibana", "vendor": "Elastic", "versions": [{"status": "affected", "version": "7.5.1 through 7.16.3"}]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-11T17:40:27", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2022-23707", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kibana", "version": {"version_data": [{"version_value": "7.5.1 through 7.16.3"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215", "refsource": "MISC", "url": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:45.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2022-23707", "datePublished": "2022-02-11T17:40:27", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:45.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "25C019D9-EB78-4E90-B756-6EB990CF0EAE", "versionEndExcluding": "7.17.0", "versionStartIncluding": "7.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users"}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de tipo XSS en los patrones de \u00edndice de Kibana. Usando esta vulnerabilidad, un usuario autenticado con permisos para crear patrones de \u00edndice puede inyectar javascript malicioso en el patr\u00f3n de \u00edndice que podr\u00eda ejecutarse contra otros usuarios"}], "id": "CVE-2022-23707", "lastModified": "2024-11-21T06:49:08.920", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T18:15:11.797", "references": [{"source": "bressers@elastic.co", "tags": ["Patch", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "bressers@elastic.co", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Kibana: Cross-site scripting issue (ESA-2022-01)", "id": "2051419", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2051419"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users", "A Cross-Site Scripting (XSS) vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permission to create index patterns can inject malicious javascript into the index pattern, which could execute against other users."], "name": "CVE-2022-23707", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-logging-kibana5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-elasticsearch-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2022-02-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23707\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23707"], "threat_severity": "Moderate"}