CVE-2023-46671: 
Kibana vulnerability analysis and mitigation

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. The vulnerability affects Kibana versions from 8.0.0 to 8.11.1, and was disclosed on December 13, 2023. The vulnerability has been assigned CVE-2023-46671 and affects Kibana installations across various deployment types (Elastic Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only when an error is returned from an Elasticsearch cluster during user interaction with an unhealthy cluster, such as when returning circuit breaker or no shard exceptions. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) with vector CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD, Elastic Advisory).

The vulnerability could lead to exposure of sensitive information including account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. In Elastic Cloud environments, less than 5% of clusters were identified to have been affected (Elastic Advisory).

The vulnerability has been fixed in Kibana version 8.11.1. For users who cannot upgrade, mitigation actions include implementing ingest pipelines to redact sensitive information, limiting access to Kibana log directories, and reviewing logs for potential sensitive data exposure. Elastic Cloud has implemented additional mitigations including purging sensitive data from monitoring environments and deploying redaction solutions (Elastic Advisory).