Elastic Kibana Incorrect Authorization Vulnerability Leading to Information Disclosure

A vulnerability exists in Kibana versions 8.0.0 prior to 8.19.13 and 9.0.0 prior to 9.2.8 and 9.3.0 prior to 9.3.3. This vulnerability involves incorrect authorization, allowing users with limited Fleet privileges to access an internal API endpoint. Exploitation of this endpoint can result in the unauthorized retrieval of sensitive configuration data, such as private keys and authentication tokens, which should only be available to users with higher-level settings privileges. The affected endpoint bypasses authorization checks by directly returning full configuration objects from the internal API, leading to information disclosure via privilege abuse.

Impact

Exploitation of this vulnerability can result in unauthorized access to sensitive configuration data, including private keys and authentication tokens, creating a risk of privilege abuse.

Remediation

Users can upgrade to Kibana versions 8.19.14, 9.2.8, or 9.3.3 to address this vulnerability. For users unable to upgrade, it is recommended to review Fleet role assignments and ensure that only trusted users have access to Fleet agent privileges. Additionally, any exposed proxy credentials should be rotated.