← Back

CVE-2021-22136

nvd nist
Published: May 13, 2021Modified: Nov 21, 2024

JSON object

Loading...
3.5
Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Exploitability: 0.9 / Impact: 2.5
Source: NVD

Description

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.

Affected (2)

Products: Elastic: Kibana
Elastic
1 product
Kibana
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Elastic
Kibana
Before 6.8.15
Kibana
From 7.0.0 to 7.12.0

Related CWEs

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

Source: security@elastic.co
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.