Elastic Kibana

stack.watch can email you when security vulnerabilities are reported in Elastic Kibana. You can add multiple products that you use with Kibana to create your own personal software stack watcher.

By the Year

In 2021 there have been 0 vulnerabilities in Elastic Kibana . Last year Kibana had 1 security vulnerability published. Right now, Kibana is on track to have less security vulnerabilities in 2021 than it did last year.

Year	Vulnerabilities	Average Score
2021	0	0.00
2020	1	6.10
2019	4	7.50
2018	7	7.16

It may take a day or so for new Kibana vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Elastic Kibana Security Vulnerabilities

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to

CVE-2020-27816 6.1 - Medium - December 02, 2020

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7.

CVE-2020-27816 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Open Redirect

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer

CVE-2019-7616 4.9 - Medium - July 30, 2019

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.

CVE-2019-7616 is exploitable with network access, and requires user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

XSPA

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer

CVE-2019-7609 10 - Critical - March 25, 2019

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

CVE-2019-7609 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger

CVE-2019-7610 9 - Critical - March 25, 2019

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

CVE-2019-7610 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability

CVE-2019-7608 6.1 - Medium - March 25, 2019

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2019-7608 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana versions 4.0 to 4.6

CVE-2018-17245 9.8 - Critical - December 20, 2018

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

CVE-2018-17245 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Insufficiently Protected Credentials

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin

CVE-2018-17246 9.8 - Critical - December 20, 2018

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

CVE-2018-17246 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Inclusion of Functionality from Untrusted Control Sphere

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter

CVE-2018-3830 6.1 - Medium - September 19, 2018

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2018-3830 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter

CVE-2018-3818 6.1 - Medium - March 30, 2018

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2018-3818 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

The fix in Kibana for ESA-2017-23 was incomplete

CVE-2018-3819 6.1 - Medium - March 30, 2018

The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

CVE-2018-3819 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Open Redirect

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations

CVE-2018-3820 6.1 - Medium - March 30, 2018

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2018-3820 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization

CVE-2018-3821 6.1 - Medium - March 30, 2018

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2018-3821 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields

CVE-2017-11481 6.1 - Medium - December 08, 2017

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2017-11481 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

The Kibana fix for CVE-2017-8451 was found to be incomplete

CVE-2017-11482 6.1 - Medium - December 08, 2017

The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

CVE-2017-11482 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Open Redirect

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion

CVE-2017-11479 6.1 - Medium - September 29, 2017

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2017-11479 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack

CVE-2016-1000220 6.1 - Medium - June 16, 2017

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.

CVE-2016-1000220 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in

CVE-2016-1000219 7.5 - High - June 16, 2017

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.

CVE-2016-1000219 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

AuthZ

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

CVE-2015-9056 6.1 - Medium - June 16, 2017

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

CVE-2015-9056 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.

CVE-2016-10366 6.1 - Medium - June 16, 2017

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.

CVE-2016-10366 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

With X-Pack installed

CVE-2016-10364 6.5 - Medium - June 16, 2017

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

CVE-2016-10364 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Permissions, Privileges, and Access Controls

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page

CVE-2017-8440 6.1 - Medium - June 05, 2017

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVE-2017-8440 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder

CVE-2017-8439 6.1 - Medium - June 05, 2017

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.

CVE-2017-8439 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1

CVE-2015-8131 - December 07, 2015

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

352

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3

CVE-2015-4093 - June 15, 2015

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

XSS

Elastic Kibana

By the Year

Latest Elastic Kibana Security Vulnerabilities

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to CVE-2020-27816 6.1 - Medium - December 02, 2020

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer CVE-2019-7616 4.9 - Medium - July 30, 2019

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer CVE-2019-7609 10 - Critical - March 25, 2019

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger CVE-2019-7610 9 - Critical - March 25, 2019

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability CVE-2019-7608 6.1 - Medium - March 25, 2019

Kibana versions 4.0 to 4.6 CVE-2018-17245 9.8 - Critical - December 20, 2018

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin CVE-2018-17246 9.8 - Critical - December 20, 2018

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter CVE-2018-3830 6.1 - Medium - September 19, 2018

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter CVE-2018-3818 6.1 - Medium - March 30, 2018

The fix in Kibana for ESA-2017-23 was incomplete CVE-2018-3819 6.1 - Medium - March 30, 2018

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations CVE-2018-3820 6.1 - Medium - March 30, 2018

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization CVE-2018-3821 6.1 - Medium - March 30, 2018

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields CVE-2017-11481 6.1 - Medium - December 08, 2017

The Kibana fix for CVE-2017-8451 was found to be incomplete CVE-2017-11482 6.1 - Medium - December 08, 2017

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion CVE-2017-11479 6.1 - Medium - September 29, 2017

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack CVE-2016-1000220 6.1 - Medium - June 16, 2017

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in CVE-2016-1000219 7.5 - High - June 16, 2017

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. CVE-2015-9056 6.1 - Medium - June 16, 2017

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. CVE-2016-10366 6.1 - Medium - June 16, 2017

With X-Pack installed CVE-2016-10364 6.5 - Medium - June 16, 2017

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page CVE-2017-8440 6.1 - Medium - June 05, 2017

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder CVE-2017-8439 6.1 - Medium - June 05, 2017

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 CVE-2015-8131 - December 07, 2015

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 CVE-2015-4093 - June 15, 2015

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to

CVE-2020-27816 6.1 - Medium - December 02, 2020

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer

CVE-2019-7616 4.9 - Medium - July 30, 2019

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer

CVE-2019-7609 10 - Critical - March 25, 2019

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger

CVE-2019-7610 9 - Critical - March 25, 2019

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability

CVE-2019-7608 6.1 - Medium - March 25, 2019

Kibana versions 4.0 to 4.6

CVE-2018-17245 9.8 - Critical - December 20, 2018

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin

CVE-2018-17246 9.8 - Critical - December 20, 2018

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter

CVE-2018-3830 6.1 - Medium - September 19, 2018

Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter

CVE-2018-3818 6.1 - Medium - March 30, 2018

The fix in Kibana for ESA-2017-23 was incomplete

CVE-2018-3819 6.1 - Medium - March 30, 2018

Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations

CVE-2018-3820 6.1 - Medium - March 30, 2018

Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization

CVE-2018-3821 6.1 - Medium - March 30, 2018

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields

CVE-2017-11481 6.1 - Medium - December 08, 2017

The Kibana fix for CVE-2017-8451 was found to be incomplete

CVE-2017-11482 6.1 - Medium - December 08, 2017

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion

CVE-2017-11479 6.1 - Medium - September 29, 2017

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack

CVE-2016-1000220 6.1 - Medium - June 16, 2017

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in

CVE-2016-1000219 7.5 - High - June 16, 2017

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.

CVE-2015-9056 6.1 - Medium - June 16, 2017

Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.

CVE-2016-10366 6.1 - Medium - June 16, 2017

With X-Pack installed

CVE-2016-10364 6.5 - Medium - June 16, 2017

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page

CVE-2017-8440 6.1 - Medium - June 05, 2017

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder

CVE-2017-8439 6.1 - Medium - June 05, 2017

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1

CVE-2015-8131 - December 07, 2015

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3

CVE-2015-4093 - June 15, 2015