CVE-2018-17245Sensitive Info Insertion into Sent Data in Kibana

CWE-201Sensitive Info Insertion into Sent DataCWE-522Insufficiently Protected Credentials5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 44.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedDec 20
Latest updateMay 13

Description

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDelastic/kibana4.0.04.6.0+2
CVEListV5elastic/kibana4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2

🔴Vulnerability Details

2
GHSA
GHSA-j8h5-wqfr-cxp3: Kibana versions 42022-05-13
CVEList
CVE-2018-17245: Kibana versions 42018-12-20

📋Vendor Advisories

1
Red Hat
kibana: Information leak in the PDF generation process2018-11-06

💬Community

1
Bugzilla
CVE-2018-17245 kibana: Information leak in the PDF generation process2018-11-07
CVE-2018-17245 — Elastic Kibana vulnerability | cvebase