CVE-2016-1000219 — Improper Authorization in Kibana

CWE-285 — Improper Authorization CWE-532 — Log File Information Exposure5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedJun 16

Latest updateMay 13

Description

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDelastic/kibana4.1.0 — 4.1.11+1

🔴Vulnerability Details

GHSA

GHSA-q36m-wm9g-699v: Kibana before 4↗2022-05-13

▶

CVEList

CVE-2016-1000219: Kibana before 4↗2017-06-16

▶

📋Vendor Advisories

Red Hat

kibana: Session hijack via stealing cookies and auth headers from log ESA-2016-04↗2016-08-03

▶

💬Community

Bugzilla

CVE-2016-1000219 kibana: Session hijack via stealing cookies and auth headers from log ESA-2016-04↗2016-08-05

▶