Elastic Kibana
By the Year
In 2021 there have been 0 vulnerabilities in Elastic Kibana . Last year Kibana had 1 security vulnerability published. Right now, Kibana is on track to have less security vulnerabilities in 2021 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2021 | 0 | 0.00 |
2020 | 1 | 6.10 |
2019 | 4 | 7.50 |
2018 | 7 | 7.16 |
It may take a day or so for new Kibana vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Elastic Kibana Security Vulnerabilities
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to
CVE-2020-27816
6.1 - Medium
- December 02, 2020
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7.
Open Redirect
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer
CVE-2019-7616
4.9 - Medium
- July 30, 2019
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
XSPA
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability
CVE-2019-7608
6.1 - Medium
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer
CVE-2019-7609
10 - Critical
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Command Injection
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger
CVE-2019-7610
9 - Critical
- March 25, 2019
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Command Injection
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin
CVE-2018-17246
9.8 - Critical
- December 20, 2018
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Inclusion of Functionality from Untrusted Control Sphere
Kibana versions 4.0 to 4.6
CVE-2018-17245
9.8 - Critical
- December 20, 2018
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
Insufficiently Protected Credentials
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter
CVE-2018-3830
6.1 - Medium
- September 19, 2018
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter
CVE-2018-3818
6.1 - Medium
- March 30, 2018
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
The fix in Kibana for ESA-2017-23 was incomplete
CVE-2018-3819
6.1 - Medium
- March 30, 2018
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Open Redirect
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations
CVE-2018-3820
6.1 - Medium
- March 30, 2018
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization
CVE-2018-3821
6.1 - Medium
- March 30, 2018
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields
CVE-2017-11481
6.1 - Medium
- December 08, 2017
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
The Kibana fix for CVE-2017-8451 was found to be incomplete
CVE-2017-11482
6.1 - Medium
- December 08, 2017
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Open Redirect
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion
CVE-2017-11479
6.1 - Medium
- September 29, 2017
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in
CVE-2016-1000219
7.5 - High
- June 16, 2017
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
AuthZ
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
CVE-2016-1000220
6.1 - Medium
- June 16, 2017
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
XSS
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
CVE-2016-10366
6.1 - Medium
- June 16, 2017
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
XSS
With X-Pack installed
CVE-2016-10364
6.5 - Medium
- June 16, 2017
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
Permissions, Privileges, and Access Controls
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
CVE-2015-9056
6.1 - Medium
- June 16, 2017
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
XSS
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page
CVE-2017-8440
6.1 - Medium
- June 05, 2017
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder
CVE-2017-8439
6.1 - Medium
- June 05, 2017
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
XSS
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1
CVE-2015-8131
- December 07, 2015
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Session Riding
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3
CVE-2015-4093
- June 15, 2015
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Elastic Kibana or by Elastic? Click the Watch button to subscribe.
