Impact: Moderate Public Date: 2019-08-23 CWE: CWE-290 Bugzilla: 1747485: CVE-2019-13423 search-guard: Authenticated user could impersonate server user when providing wrong credentials Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-13423 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Container Platform 4.1 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.9 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.11 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.10 | search-guard | Under investigation |
Vulmon