CVE-2021-22142

Kibana Reporting vulnerabilities

CVSS 6.6 MEDIUMEPSS 1.0%CWE-1104

In short

Kibana's reporting feature uses an embedded Chromium browser to generate downloadable reports. If a user with report generation permissions can make this browser display malicious HTML, they could exploit known Chromium vulnerabilities to attack the system.

Technical detail

The vulnerability exists in Kibana's Reporting feature, which embeds Chromium for PDF/image generation. An authenticated attacker with report generation permissions can bypass HTML rendering protections to inject arbitrary content, potentially triggering known Chromium CVEs for privilege escalation or code execution on the Kibana server.

Summary generated and translated by AI from the official description.

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

Elastic · Kibana

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://discuss.elastic.co/t/elastic-stack-7-13-0-and-6-8-16-security-update/273964/1 https://www.elastic.co/community/security