Elastic Kibana Privilege Escalation Vulnerability in Reporting User Role

A privilege escalation vulnerability has been identified in Elastic Kibana versions 9.0.0 prior to 9.0.6 and 9.1.0 prior to 9.1.3. The issue arises from incorrect authorization in the built-in reporting_user role, which improperly allows access to all Kibana Spaces. This vulnerability affects deployments that assign the reporting_user role to end users, granting them read access to various Kibana assets across all Spaces, including Discover, Dashboards, the Visualization Library, and Canvas. However, it does not extend to additional user documents or indices beyond what their existing index privileges allow.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Kibana Spaces and the ability to generate reports from various Kibana assets, such as Dashboards and Discover, depending on the user's assigned privileges.

Remediation

Users can upgrade to Kibana versions 9.0.6 or 9.1.3 to address this vulnerability. For those unable to upgrade, it is recommended to revoke the reporting_user role from end users and instead grant access to reporting functionality through custom roles that provide the necessary permissions.