A question about a potential vulnerability in Kibana

Hi,

There is this CVE about a vulnerability in JsonWebToken:
https://nvd.nist.gov/vuln/detail/CVE-2022-23529
This is a vulnerability about insecure input validation in jwt.verify function, in JsonWebToken versions <= 8.5.1.

We are using Kibana 7.8.0 in our product and we see that there are some usages of JsonWebToken in the Kibana files.

My question is, is Kibana vulnerable to this CVE?

Thanks

1 Like

7.8 is very much EOL and you are unlikely to get a response for that particular version other than you need to upgrade.

For newer versions I would suggest checking out Security issues | Elastic and emailing security@elastic.co.

Sidenote: We'll see what happens to that one [GHSA-27h2-hvpr-p74q] Request to reject CVE: jsonwebtoken has insecure input validation in jwt.verify function by MichaelErmer · Pull Request #1595 · github/advisory-database · GitHub :sweat_smile:

Thanks.
I can't find the CVE in the page you provided, is it possible to get an answer here about this vulnerability for newer versions of Kibana? Or the only place I could get an answer is via security@elastic.co?

Thanks