CVE-2017-11482 — Open Redirect in Kibana

CWE-601 — Open Redirect6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 58.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedDec 8

Latest updateMay 13

Description

The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5elastic/kibanabefore 6.0.1 and 5.6.5

▶NVDelastic/kibana6 versions+5

🔴Vulnerability Details

GHSA

GHSA-28c3-wp2j-prjr: The Kibana fix for CVE-2017-8451 was found to be incomplete↗2022-05-13

▶

CVEList

CVE-2017-11482: The Kibana fix for CVE-2017-8451 was found to be incomplete↗2017-12-08

▶

📋Vendor Advisories

Red Hat

kibana: open redirect on the login page (ESA-2017-23)↗2017-12-17

▶

💬Community

Bugzilla

CVE-2017-11482 kibana: open redirect on the login page (ESA-2017-23)↗2018-01-25

▶

Bugzilla

CVE-2017-11482 puppet-kibana3: kibana: open redirect on the login page (ESA-2017-23) [openstack-rdo]↗2018-01-25

▶