CVE-2022-23709 - OpenCVE

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Kibana

Configuration 1 [-]

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana:8.0.0:::::::*

No data.

References

Link	Providers
https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447
https://nvd.nist.gov/vuln/detail/CVE-2022-23709
https://www.cve.org/CVERecord?id=CVE-2022-23709

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2022-03-03T21:50:17

Updated: 2024-08-03T03:51:46.009Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23709

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-03T22:15:08.850

Modified: 2022-03-16T15:26:39.327

Link: CVE-2022-23709

Redhat

Severity : Moderate

Publid Date: 2022-02-28T00:00:00Z

Links: CVE-2022-23709 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "kibana", "vendor": "Elastic", "versions": [{"status": "affected", "version": "Versions 7.7.0 through 7.17.0, and 8.0.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-264", "description": "CWE-264", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-03T21:50:17", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2022-23709", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "kibana", "version": {"version_data": [{"version_value": "Versions 7.7.0 through 7.17.0, and 8.0.0"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-264"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:46.009Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2022-23709", "datePublished": "2022-03-03T21:50:17", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:46.009Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "5794CA6A-7359-420E-A098-BF8ADD65166F", "versionEndExcluding": "7.17.1", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5E1ED2C2-73D5-4480-9F09-333E11BF4DB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules."}, {"lang": "es", "value": "Se ha detectado un fallo en Kibana en el que usuarios con acceso de lectura a la funci\u00f3n de tiempo de actividad pod\u00edan modificar las reglas de alerta. Un usuario con este privilegio podr\u00eda crear nuevas reglas de alerta o sobrescribir las existentes. Sin embargo, cualquier regla nueva o modificada no se habilitar\u00eda, y un usuario con este privilegio no podr\u00eda modificar los conectores de alerta. Esto significa efectivamente que los usuarios de Read podr\u00edan deshabilitar las reglas de alerta existentes"}], "id": "CVE-2022-23709", "lastModified": "2022-03-16T15:26:39.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T22:15:08.850", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-264"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: missing authorization issue (ESA-2022-03)", "id": "2066386", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066386"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-862", "details": ["A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.", "A flaw was found in Kibana. This issue allows users with read access to the Uptime feature to modify alerting rules, allowing them to create new or overwrite existing ones. However, any rules created this way are not enabled by default and allow the user to disable an existing, enabled alert rule."], "name": "CVE-2022-23709", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/elasticsearch-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "Kibana", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/ose-logging-kibana5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-elasticsearch-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "puppet-kibana3", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2022-02-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23709\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23709\nhttps://discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447"], "threat_severity": "Moderate"}