CVE-2023-46675: 
Kibana vulnerability analysis and mitigation

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or when debug level logging is enabled in Kibana. The vulnerability affects Kibana versions 7.x.x prior to 7.17.16 and versions 8.x.x prior to 8.11.2. This issue was disclosed on December 13, 2023, and has been assigned CVE-2023-46675 (NVD).

The vulnerability is classified as an information disclosure issue (CWE-532) with a CVSS v3.1 base score of 6.5 (Medium) according to NVD assessment (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The issue occurs when Kibana encounters an unexpected error while communicating with Elasticsearch or when debug level logging is enabled. The vulnerability is particularly concerning as it was found that the fix for a similar issue (ESA-2023-25) in Kibana 8.11.1 was incomplete (NVD).

The vulnerability can lead to the exposure of sensitive information in log files, including account credentials for the kibana_system user, API Keys, credentials of Kibana end-users, Elastic Security package policy objects containing private keys, bearer tokens, sessions of 3rd-party integrations, authorization headers, client secrets, and local file paths (NVD).

Elastic has released Kibana version 8.11.2 which resolves this issue. Users are advised to upgrade to Kibana version 8.11.2 for 8.x series or version 7.17.16 for 7.x series (CERT-FR).