Kibana denial of service issue (ESA-2021-10)
A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Thank you to Dominic Couture for this finding.
Affected Versions:
All versions of Kibana prior to 7.12.1
Solutions and Mitigations:
Customers should upgrade to version 7.12.1 or above
CVSSv3: 4.9 - AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2021-22139
App Search XML External Entity Injection issue (ESA-2021-11)
An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
Thank you to Dominic Couture for this finding.
Affected Versions:
Versions 7.11 to 7.12
Solutions and Mitigations:
Customers that are utilizing the App Search web crawler should upgrade to 7.12.1 or above
CVSSv3: 9.3 - AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE ID: CVE-2021-22140