CVE-2016-10364Missing Authentication for Critical Function in X-pack Security

CWE-306Missing Authentication for Critical FunctionCWE-2643 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 62.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Elastic X-pack SecurityElastic Kibana
Timeline
PublishedJun 16
Latest updateMay 13

Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDelastic/kibana5.0.0, 5.0.1+1
CVEListV5elastic/elastic_x-pack_securitybefore 5.0.2

🔴Vulnerability Details

2
GHSA
GHSA-vhh5-g73h-79g9: With X-Pack installed, Kibana versions 52022-05-13
CVEList
CVE-2016-10364: With X-Pack installed, Kibana versions 52017-06-16
CVE-2016-10364 — Elastic X-pack Security vulnerability | cvebase