CVE-2021-37936 Kibana wasn't sanitizing document fields containing HTML, which allowed attackers to write arbitrary HTML.

CVE-2021-37936 Kibana wasn't sanitizing document fields containing HTML, which allowed attackers to write arbitrary HTML.

The vulnerability was reported to Kibana and patched on November 8, 2017. It is important to keep your Kibana installations up-to-date.

Another issue with Kibana is that index names could contain ' ' (double quotes) characters. If an attacker were to craft an index name that included these characters, they could inject malicious JavaScript code into the Discover app.

It was discovered that indexing options were not being properly sanitized when creating an index. When the indexing options contained malicious code, it could be executed when indexing.

What is Kibana?

Kibana is a web application that allows users to visualize, search, and interact with Elasticsearch data. Anyone who has access to this app can manipulate the data in Elasticsearch.
Kibana was vulnerable to attack due to its design. The attacker could inject malicious JavaScript code into the Discover app using a specially crafted index name. This would allow the attacker server-side access, giving them the ability to execute arbitrary code on Kibana and access any of the user's information in Kibana.

Kibana gives users an easy way to visualize, search, and interact with their Elasticsearch data. Because it's designed for end-users, it lacks security precautions such as input validation or sanitization functions that would prevent an attacker from injecting malicious JavaScript code into the Discover app via a specially crafted index name. Because of its design, attackers could inject malicious JavaScript code into the Discover app when creating an index which would give them server-side access to Kibana and any of the users' information stored in Kibana

Indexing Options

If an attacker were to craft an index name that included these characters, they could inject malicious JavaScript code into the Discover app.
The vulnerability was reported to Kibana and patched on November 8, 2017. It is important to keep your Kibana installations up-to-date. Another issue with Kibana is that index names could contain ' ' (double quotes) characters. If an attacker were to craft an index name that included these characters, they could inject malicious JavaScript code into the Discover app. So, if you haven't updated your Kibana installation yet, please do it as soon as possible! In addition to updating your Kibana installation, you can also check out what other top vulnerabilities have been found in the past by reading our blog post titled "Top 20 Most Critical Vulnerabilities Found in Elasticsearch."

Index names could contain double quotes

This could result in a malformed database query that would execute malicious code when indexing.
The vulnerability was reported to Kibana and fixed on November 8, 2017.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe