Kibana Session Timeout Bypass Vulnerability

Kibana Session Timeout Bypass Vulnerability

CVE-2021-22136 · LOW Severity

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.

Learn more about our User Device Pen Test.