CVE-2018-3819 — Open Redirect in Kibana

CWE-601 — Open Redirect6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 56.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedMar 30

Latest updateMay 13

Description

The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDelastic/kibana6.0.0 — 6.1.3+1

▶CVEListV5elastic/kibanaAll versions before 6.1.3 and 5.6.7

🔴Vulnerability Details

GHSA

GHSA-p999-w4h4-238v: The fix in Kibana for ESA-2017-23 was incomplete↗2022-05-13

▶

CVEList

CVE-2018-3819: The fix in Kibana for ESA-2017-23 was incomplete↗2018-03-30

▶

📋Vendor Advisories

Red Hat

kibana: open redirect on the login page↗2018-01-30

▶

💬Community

Bugzilla

CVE-2018-9516 kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c↗2018-09-19

▶

Bugzilla

CVE-2018-3819 kibana: open redirect on the login page↗2018-03-06

▶