CVE-2022-23711 - Exposing Sensitive Elastic Stack Monitoring Info in Kibana Page Source

Kibana is a popular open-source data visualization tool, especially as the face of the Elastic Stack (formerly known as the ELK Stack: Elasticsearch, Logstash, Kibana). Companies worldwide use Kibana to monitor applications, logs, and infrastructure in real time. However, a critical vulnerability, CVE-2022-23711, was found in Kibana. This flaw could let anyone access sensitive Elastic Stack monitoring configurations straight from the web page source — even if they aren’t logged into Kibana.

Let’s break down what this means, who’s at risk, how it works, and how to fix it. We’ll include code snippets, PoC, and links to original resources.

What Is CVE-2022-23711?

CVE-2022-23711 is a security vulnerability discovered in several earlier versions of Kibana.

- Summary: When Kibana is used as a remote UI for Elastic Stack Monitoring (and certain monitoring.ui.elasticsearch.* settings are configured), sensitive connection details for Elasticsearch could leak into client-side code.
- Impact: Anyone who can access Kibana’s web interface can potentially view this sensitive information in the page source HTML—no authentication required.
- Scope: The exposure happens when optional settings like monitoring.ui.elasticsearch.username, monitoring.ui.elasticsearch.password, or other monitoring.ui.elasticsearch.* parameters are configured in kibana.yml.
- Other exposure: The same bug could leak non-sensitive internal application details even if monitoring settings aren’t set.

How Does It Happen?

Kibana’s web interface renders configuration data into its HTML page source when serving content. This configuration data accidentally included the values from monitoring.ui.elasticsearch.*, which could contain:

Here’s an Illustration

When you open Kibana in the browser (http://your-kibana-instance:5601), view the page source (Ctrl+U or right-click → "View Page Source"), you might see something like:

<script>
  window.__kbnBootstrap__ = {
    // ...other stuff...
    configs: {
      // ...other safe configs...
      "monitoring.ui.elasticsearch.username": "elastic_admin",
      "monitoring.ui.elasticsearch.password": "SuperSecretPassword",
      "monitoring.ui.elasticsearch.hosts": "http://internal-es:920";
    }
  };
</script>

Note: Actual output might vary, but this shows the idea—these values are present in JavaScript objects on every loaded page!

No login required: Anyone who can connect to the Kibana port can read this data—no login, no extra steps.

You are at risk if

- You run an affected Kibana version (see Advisory details)

Example Kibana Configuration (kibana.yml)

monitoring.ui.elasticsearch.username: "elastic_admin"
monitoring.ui.elasticsearch.password: "SuperSecretPassword"
monitoring.ui.elasticsearch.hosts: [ "http://internal-es:920"; ]

Search (Ctrl+F) for any of your configuration strings, for example, monitoring.ui.elasticsearch.

4. See if the username/password is revealed in the JavaScript block.

Why Is This Such a Big Deal?

- Credential Leak: If these configs contain real usernames, passwords, or tokens, an attacker can steal them and access Elasticsearch directly.
- Wider Exposure: Even if credentials don’t leak, other internal info could help future attacks by exposing endpoints, roles, or internal topology.
- No Authentication Barrier: If Kibana is accessible (sometimes even within the VPN or cloud VPC), users are at risk.

Affected Versions & Fixes

Elastic’s official Security Advisory summarizes the impact and patch versions. Vulnerable versions include:

7.17.1 and 8..1

Read the official CVE entry for more.

Upgrade Kibana: Immediately upgrade to at least 7.17.1, 8..1, or higher.

- Remove monitoring UI settings: If you cannot upgrade, comment out (#) all monitoring.ui.elasticsearch.* settings in your kibana.yml, then restart.

Restrict Kibana Access: Make Kibana accessible only via VPN or whitelisted IPs.

- Use Reverse Proxy Auth: Put a reverse proxy (like nginx) in front of Kibana to add authentication.

Example config to remove in kibana.yml

#monitoring.ui.elasticsearch.username: "elastic_admin"
#monitoring.ui.elasticsearch.password: "SuperSecretPassword"
#monitoring.ui.elasticsearch.hosts: [ "http://internal-es:920"; ]

Additional Resources

- Elastic Stack 8..1 Security Update (Elastic forums)
- CVE-2022-23711 at NVD
- Elastic Stack Release Notes
- Kibana Official Docs: Monitoring

Conclusion

CVE-2022-23711 shows how even basic configuration mistakes or code oversights can cause major leaks in popular tools like Kibana. Always keep your systems patched, restrict sensitive UIs to trusted users only, and watch for advisories from your software vendors.

Stay Secure! And regularly audit your exposed UIs and configurations.


If you found this post useful, check the links above for more details on protecting your Elastic Stack!

Timeline

Published on: 04/21/2022 19:15:00 UTC
Last modified on: 05/03/2022 19:04:00 UTC