Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-23707 (Medium) #1312

Closed
tmarkley opened this issue Mar 3, 2022 · 2 comments · Fixed by #1327
Closed

CVE-2022-23707 (Medium) #1312

tmarkley opened this issue Mar 3, 2022 · 2 comments · Fixed by #1327
Assignees
@kavilla
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend technical debt If not paid, jeapardizes long-term success and maintainability of the repository.

Comments

@tmarkley
Copy link
Contributor

tmarkley commented Mar 3, 2022

CVE-2022-23707 - Medium Severity Vulnerability

An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users.

This affects Kibana versions 7.5.1 through 7.16.3; OpenSearch Dashboards inherited this vulnerability when we forked from v7.10.2.

Additional Details

https://nvd.nist.gov/vuln/detail/CVE-2022-23707

https://discuss.elastic.co/t/kibana-7-17-0-security-update/296215
@tmarkley tmarkley added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend v1.3.0 labels Mar 3, 2022
@tmarkley tmarkley assigned tmarkley and unassigned tmarkley Mar 3, 2022
@kavilla kavilla self-assigned this Mar 7, 2022
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue Mar 8, 2022
@kavilla
[CVE] Decode anchor ID in Discover
967ae8a 
Potential way to prevent XSS from being injected into index pattern.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23707

Issue Resolved:
opensearch-project#1312

Signed-off-by: Kawika Avilla <[email protected]>
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this issue Mar 8, 2022
@kavilla
[CVE] Decode anchor ID in Discover
5ede9b3 
Potential way to prevent XSS from being injected into index pattern.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23707

Issue Resolved:
opensearch-project#1312

Signed-off-by: Kawika Avilla <[email protected]>
@kavilla kavilla mentioned this issue Mar 8, 2022
Merged
7 tasks
@kavilla kavilla linked a pull request Mar 8, 2022 that will close this issue
[CVE] Decode anchor ID in Discover #1327
Merged
7 tasks
kavilla added a commit that referenced this issue Mar 8, 2022
@kavilla
[CVE] Decode anchor ID in Discover (#1327)
b2979c8 
Potential way to prevent XSS from being injected into index pattern.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23707

Issue Resolved:
#1312

Signed-off-by: Kawika Avilla <[email protected]>
@kavilla kavilla reopened this Mar 8, 2022
opensearch-trigger-bot bot pushed a commit that referenced this issue Mar 8, 2022
@kavilla @github-actions
[CVE] Decode anchor ID in Discover (#1327)
645ce20 
Potential way to prevent XSS from being injected into index pattern.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23707

Issue Resolved:
#1312

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit b2979c8)
@kavilla
Copy link
Member

kavilla commented Mar 8, 2022

Re-opening @ashwin-pc made a great case that the proposed fix after research is only within the Discover page which could introduce a feeling of security for users even though it's just for Discover.

We should continue to monitor and verify that this was the only issue.

@kavilla kavilla added the v1.4.0 label Mar 8, 2022
kavilla added a commit that referenced this issue Mar 9, 2022
@opensearch-trigger-bot @kavilla
[CVE] Decode anchor ID in Discover (#1327) (#1332)
8a9fb0d 
Potential way to prevent XSS from being injected into index pattern.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23707

Issue Resolved:
#1312

Signed-off-by: Kawika Avilla <[email protected]>
(cherry picked from commit b2979c8)

Co-authored-by: Kawika Avilla <[email protected]>
@kavilla kavilla removed the v1.3.0 label Mar 10, 2022
@tmarkley tmarkley added v1.3.0 and removed v1.4.0 labels Apr 14, 2022
@dblock dblock removed the v1.3.0 label May 5, 2022
@tmarkley tmarkley added the technical debt If not paid, jeapardizes long-term success and maintainability of the repository. label May 25, 2022
@joshuarrrr joshuarrrr added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jun 20, 2022
@joshuarrrr
Copy link
Member

confirmed no further issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kavilla kavilla

Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend technical debt If not paid, jeapardizes long-term success and maintainability of the repository.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CVE] Decode anchor ID in Discover kavilla/OpenSearch-Dashboards-1
4 participants
@dblock @joshuarrrr @tmarkley @kavilla