Kibana Insertion of Sensitive Information into Log File

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

通过日志文件的信息暴露

Elastic Kibana 安全漏洞

Elastic Kibana是荷兰Elastic公司的一个应用系统。一个免费且开放的用户界面，能够让您对 Elasticsearch 数据进行可视化，并让您在 Elastic Stack 中进行导航。 Elastic Kibana 8.0.0 到 8.11.1版本存在安全漏洞，该漏洞源于Kibana 将敏感信息插入日志文件 ，日志中记录的错误消息可能包含 kibana_system 的帐户凭据、Kibana 用户、API 密钥和凭证。

N/A

N/A