A question about a potential vulnerability in Kibana


There is this CVE about a vulnerability in JsonWebToken:
This is a vulnerability about insecure input validation in jwt.verify function, in JsonWebToken versions <= 8.5.1.

We are using Kibana 7.8.0 in our product and we see that there are some usages of JsonWebToken in the Kibana files.

My question is, is Kibana vulnerable to this CVE?


1 Like

7.8 is very much EOL and you are unlikely to get a response for that particular version other than you need to upgrade.

For newer versions I would suggest checking out Security issues | Elastic and emailing security@elastic.co.

Sidenote: We'll see what happens to that one [GHSA-27h2-hvpr-p74q] Request to reject CVE: jsonwebtoken has insecure input validation in jwt.verify function by MichaelErmer · Pull Request #1595 · github/advisory-database · GitHub :sweat_smile:

I can't find the CVE in the page you provided, is it possible to get an answer here about this vulnerability for newer versions of Kibana? Or the only place I could get an answer is via security@elastic.co?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.