Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-37936

Опубликовано: 19 нояб. 2022
Источник: redhat
CVSS3: 5.4
EPSS Низкий

Описание

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

A flaw was found in Kibana. This issue occurs due to Kibana not sanitizing document fields containing HTML snippets. An attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Отчет

  • Red Hat OpenShift Logging uses Kibana 5.x which is not affected by this CVE.
  • The puppet-kibana3 package is shipped in Red Hat OpenStack which is not affected by this CVE.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/elasticsearch-rhel8-operatorNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
Red Hat JBoss Fuse 6kibanaOut of support scope
Red Hat JBoss Fuse Service Works 6kibanaOut of support scope
Red Hat OpenShift Container Platform 3.11kibanaOut of support scope
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-kibana5Out of support scope
Red Hat OpenStack Platform 13 (Queens)puppet-kibana3Not affected
Red Hat OpenStack Platform 16.1puppet-kibana3Not affected
Red Hat OpenStack Platform 16.2puppet-kibana3Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2148121kibana: HTML injection issue (ESA-2021-23)

EPSS

Процентиль: 68%
0.00555
Низкий

5.4 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2021-37936

CVSS3: 5.4
nvd
около 3 лет назад

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

debian логотип

CVE-2021-37936

CVSS3: 5.4
debian
около 3 лет назад

It was discovered that Kibana was not sanitizing document fields conta ...

github логотип

GHSA-p8x3-m7c8-mcj5

CVSS3: 5.4
github
около 3 лет назад

It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

EPSS

Процентиль: 68%
0.00555
Низкий

5.4 Medium

CVSS3