Hi,
There is this CVE about a vulnerability in JsonWebToken:
https://nvd.nist.gov/vuln/detail/CVE-2022-23529
This is a vulnerability about insecure input validation in jwt.verify function, in JsonWebToken versions <= 8.5.1.
We are using Kibana 7.8.0 in our product and we see that there are some usages of JsonWebToken in the Kibana files.
My question is, is Kibana vulnerable to this CVE?
Thanks
7.8 is very much EOL and you are unlikely to get a response for that particular version other than you need to upgrade.
For newer versions I would suggest checking out Security issues | Elastic and emailing security@elastic.co.
Sidenote: We'll see what happens to that one [GHSA-27h2-hvpr-p74q] Request to reject CVE: jsonwebtoken has insecure input validation in jwt.verify function by MichaelErmer · Pull Request #1595 · github/advisory-database · GitHub 
Thanks.
I can't find the CVE in the page you provided, is it possible to get an answer here about this vulnerability for newer versions of Kibana? Or the only place I could get an answer is via security@elastic.co?
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.