CVE-2023-46671

Name of the Vulnerable Software and Affected Versions Kibana versions prior to 8.11.1

Description An issue was discovered whereby sensitive information may be recorded in Kibana logs in the event of an error. The error message recorded in the log may contain account credentials for the kibana system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster, such as when returning circuit breaker or no shard exceptions.

Recommendations For versions prior to 8.11.1, update to Kibana 8.11.1 to resolve the issue. As a temporary workaround, consider restricting access to Kibana logs to minimize the risk of sensitive information exposure.