Kibana ESA-2023-02

medium Nessus Plugin ID 174002

Synopsis

The remote web server hosts a Java application that is vulnerable.

Description

Kibana versions before 7.17.9 and 8.6.1 have vulnerability CVE-2022-38900 in one of Kibana's implementation of decode-uri-component, which is vulnerable to Improper Input Validation, which could allow an authenticated attacker to perform a request that crashes the Kibana server process.

Solution

Users should upgrade to Kibana version 7.17.9 or 8.6.1

See Also

http://www.nessus.org/u?bbcb2908

Plugin Details

Severity: Medium

ID: 174002

File Name: kibana_esa_2023_02.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 4/6/2023

Updated: 5/11/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2022-38778

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:elasticsearch:kibana

Required KB Items: installed_sw/Kibana

Exploit Ease: No known exploits are available

Patch Publication Date: 2/3/2023

Vulnerability Publication Date: 2/3/2023

Reference Information

CVE: CVE-2022-38778

IAVB: 2023-B-0021-S