Elastic Kibana vulnerabilities
108 known vulnerabilities affecting elastic/kibana.
Total CVEs
108
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL7HIGH23MEDIUM76LOW2
Vulnerabilities
Page 5 of 6
CVE-2019-7618MEDIUMCVSS 6.5v7.3.0v7.3.1+1 more2019-10-01
CVE-2019-7618 [MEDIUM] CWE-538 CVE-2019-7618: A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malici
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
nvd
CVE-2019-7616MEDIUMCVSS 4.9fixed in 6.8.2≥ 7.0.0, < 7.2.1+1 more2019-07-30
CVE-2019-7616 [MEDIUM] CWE-918 CVE-2019-7616: Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the grap
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana
cvelistv5nvd
CVE-2019-7610CRITICALCVSS 9.0fixed in 5.6.15≥ 6.0.0, < 6.6.1+1 more2019-03-25
CVE-2019-7610 [CRITICAL] CWE-94 CVE-2019-7610: Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger.
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Ki
cvelistv5nvd
CVE-2019-7609CRITICALCVSS 10.0KEVPoCfixed in 5.6.15≥ 6.0.0, < 6.6.1+1 more2019-03-25
CVE-2019-7609 [CRITICAL] CWE-94 CVE-2019-7609: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion vis
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host syst
cvelistv5nvd
CVE-2019-7608MEDIUMCVSS 6.1fixed in 5.6.15≥ 6.0.0, < 6.6.1+1 more2019-03-25
CVE-2019-7608 [MEDIUM] CWE-79 CVE-2019-7608: Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could al
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2018-17246CRITICALCVSS 9.8PoC≥ 5.0.0, < 5.6.13≥ 6.0.0, < 6.4.3+1 more2018-12-20
CVE-2018-17246 [CRITICAL] CWE-73 CVE-2018-17246: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plug
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
cvelistv5nvd
CVE-2018-17245CRITICALCVSS 9.8≥ 4.0.0, ≤ 4.6.0≥ 5.0.0, ≤ 5.6.12+2 more2018-12-20
CVE-2018-17245 [CRITICAL] CWE-201 CVE-2018-17245: Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorizatio
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
cvelistv5nvd
CVE-2018-3830MEDIUMCVSS 6.1≥ 5.3.0, ≤ 6.4.1vafter 5.3.0, before 5.6.12 and 6.4.12018-09-19
CVE-2018-3830 [MEDIUM] CWE-79 CVE-2018-3830: Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field f
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2018-3821MEDIUMCVSS 6.1fixed in 5.6.7≥ 6.0.0, < 6.1.3+1 more2018-03-30
CVE-2018-3821 [MEDIUM] CWE-79 CVE-2018-3821: Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerabilit
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2018-3819MEDIUMCVSS 6.1fixed in 5.6.7≥ 6.0.0, < 6.1.3+1 more2018-03-30
CVE-2018-3819 [MEDIUM] CWE-601 CVE-2018-3819: The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions befo
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
cvelistv5nvd
CVE-2018-3818MEDIUMCVSS 6.1≥ 5.1.1, ≤ 6.1.2v5.1.1 to 6.1.2 and 5.6.62018-03-30
CVE-2018-3818 [MEDIUM] CWE-79 CVE-2018-3818: Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colo
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2018-3820MEDIUMCVSS 6.1fixed in 6.1.3vafter 6.1.0 and before 6.1.32018-03-30
CVE-2018-3820 [MEDIUM] CWE-79 CVE-2018-3820: Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2017-11482MEDIUMCVSS 6.1v5.6.0v5.6.1+5 more2017-12-08
CVE-2017-11482 [MEDIUM] CWE-601 CVE-2017-11482: The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
cvelistv5nvd
CVE-2017-11481MEDIUMCVSS 6.1v5.6.0v5.6.1+5 more2017-12-08
CVE-2017-11481 [MEDIUM] CWE-79 CVE-2017-11481: Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fiel
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
cvelistv5nvd
CVE-2017-11479MEDIUMCVSS 6.1v5.0.0v5.0.1+19 more2017-09-29
CVE-2017-11479 [MEDIUM] CWE-79 CVE-2017-11479: Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
nvd
CVE-2017-8443MEDIUMCVSS 6.5≤ 5.4.22017-06-30
CVE-2017-8443 [MEDIUM] CWE-598 CVE-2017-8443: In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the re
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana acc
nvd
CVE-2016-1000219HIGHCVSS 7.5≥ 4.1.0, < 4.1.11≥ 4.5.0, < 4.5.42017-06-16
CVE-2016-1000219 [HIGH] CWE-285 CVE-2016-1000219: Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and author
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
nvd
CVE-2017-8452HIGHCVSS 7.5≤ 5.2.0vbefore 5.2.12017-06-16
CVE-2017-8452 [HIGH] CWE-775 CVE-2017-8452: Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cl
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
cvelistv5nvd
CVE-2016-10366MEDIUMCVSS 6.1v4.3.0v4.3.1+13 more2017-06-16
CVE-2016-10366 [MEDIUM] CWE-79 CVE-2016-10366: Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (X
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
cvelistv5nvd
CVE-2017-8451MEDIUMCVSS 6.1≤ 5.3.02017-06-16
CVE-2017-8451 [MEDIUM] CWE-601 CVE-2017-8451: With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
nvd