CVE-2023-46671

MEDIUM Year: 2023
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-532
View all →

Vulnerability Description

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).

Related Vulnerabilities

CVE-2016-10362

MEDIUM
CVSS:6.5(Medium)

Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.

CWE-5322016

CVE-2016-10819

MEDIUM
CVSS:6.5(Medium)

In cPanel before 57.9999.54, user log files become world-readable when rotated by cpanellogd (SEC-125).

CWE-5322016

CVE-2017-11134

MEDIUM
CVSS:6.5(Medium)

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them.

CWE-5322017

CVE-2017-3744

MEDIUM
CVSS:6.5(Medium)

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated ...

CWE-5322017

CVE-2018-0504

MEDIUM
CVSS:6.5(Medium)

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid

CWE-5322018

CVE-2018-19014

MEDIUM
CVSS:6.5(Medium)

Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all versions, Kappa, all version, and Infinity Explorer C700, all versions. Log files are accessible over an unauthenticated network conn...

CWE-5322018