Описание
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
A flaw was found in Kibana's Email Connector. An authenticated attacker with view-level privileges can exploit this vulnerability by providing a specially crafted email address parameter. This improper input validation can lead to an excessive allocation of resources, resulting in a complete denial of service (DoS) for all users until the service is manually restarted.
Отчет
This vulnerability is rated Moderate for Red Hat products as it allows an authenticated attacker with view-level privileges to trigger a denial of service in Kibana's Email Connector. By providing a specially crafted email address, the attacker can cause excessive resource allocation, leading to service unavailability until a manual restart. This impact is limited to deployments where the Email Connector is enabled and accessible to authenticated users.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/cluster-logging-rhel9-operator | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | kibana | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | kibana | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-jaeger-query-rhel8 | Fix deferred | ||
| Red Hat OpenStack Platform 16.2 | puppet-kibana3 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
Improper Input Validation (CWE-20) in Kibana's Email Connector can all ...
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
EPSS
6.5 Medium
CVSS3