PT-2021-14864 · Elastic · Kibana

Published

2021-05-13

Updated

2021-05-21

CVE-2021-22136

CVSS v2.0

3.6

Low

Vector

AV:L/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Kibana versions prior to 7.12.0 Kibana versions prior to 6.8.15

Description A flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users' sessions, preventing a user session from timing out.

Recommendations For versions prior to 7.12.0, update to version 7.12.0 or later to resolve the issue. For versions prior to 6.8.15, update to version 6.8.15 or later to resolve the issue. As a temporary workaround, consider restricting background polling activities to minimize the risk of exploitation.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2021-22136

Affected Products

Kibana

PT-2021-14864 · Elastic · Kibana

CVE-2021-22136

Weakness Enumeration

Related Identifiers

Affected Products

References · 4