Vulnerability Name:	CVE-2021-37939 (CCN-214008)
Assigned:	2021-11-10
Published:	2021-11-10
Updated:	2021-11-23
Summary:	It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
CVSS v3 Severity:	2.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) 2.4 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C) Exploitability Metrics: Attack Vector (AV):  Attack Complexity (AC):  Privileges Required (PR):  User Interaction (UI):  Scope: Scope (S):  Impact Metrics: Confidentiality (C):  Integrity (I):  Availibility (A):  4.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) 3.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C) Exploitability Metrics: Attack Vector (AV):  Attack Complexity (AC):  Privileges Required (PR):  User Interaction (UI):  Scope: Scope (S):  Impact Metrics: Confidentiality (C):  Integrity (I):  Availibility (A):
CVSS v2 Severity:	4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) Exploitability Metrics: Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance Impact Metrics: Confidentiality (C): Partial Integrity (I): None Availibility (A): None 4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) Exploitability Metrics: Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance Impact Metrics: Confidentiality (C): Partial Integrity (I): None Availibility (A): None
Vulnerability Type:	CWE-319
Vulnerability Consequences:	Obtain Information
References:	Source: MITRE Type: CNA CVE-2021-37939 Source: CCN Type: Elasticsearch ESA-2021-27 Kibana Information Disclosure issue Source: XF Type: UNKNOWN elasticsearch-cve202137939-info-disc(214008)
Vulnerability Name:	CVE-2021-37939 (CCN-216416)
Assigned:	2021-11-10
Published:	2021-11-10
Updated:	2021-11-10
Summary:	Elasticsearch Kibana's JIRA connector could allow a remote authenticated attacker to obtain sensitive information, caused by the transmission of sensitive information in plain text. By creating specially-crafted connectors, an attacker could exploit this vulnerability to view limited HTTP response data on hosts, and use this information to launch further attacks against the affected system.
CVSS v3 Severity:	2.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) 2.4 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C) Exploitability Metrics: Attack Vector (AV):  Attack Complexity (AC):  Privileges Required (PR):  User Interaction (UI):  Scope: Scope (S):  Impact Metrics: Confidentiality (C):  Integrity (I):  Availibility (A):  4.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) 3.6 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C) Exploitability Metrics: Attack Vector (AV):  Attack Complexity (AC):  Privileges Required (PR):  User Interaction (UI):  Scope: Scope (S):  Impact Metrics: Confidentiality (C):  Integrity (I):  Availibility (A):
CVSS v2 Severity:	4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) Exploitability Metrics: Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance Impact Metrics: Confidentiality (C): Partial Integrity (I): None Availibility (A): None 4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) Exploitability Metrics: Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance Impact Metrics: Confidentiality (C): Partial Integrity (I): None Availibility (A): None
Vulnerability Consequences:	Obtain Information
References:	Source: MITRE Type: CNA CVE-2021-37939 Source: CCN Type: Elasticsearch ESA-2021-27 Kibana Information Disclosure issue Source: XF Type: UNKNOWN elasticsearch-cve202137939-info-disc(216416)
BACK