Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 Multiple Vulnerabilities (ESA-2026-30 / ESA-2026-33 / ESA-2026-34 / ESA-2026-36)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(318721);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/05");

  script_cve_id(
    "CVE-2026-33462",
    "CVE-2026-33463",
    "CVE-2026-42399",
    "CVE-2026-42401"
  );
  script_xref(name:"IAVB", value:"2026-B-0141");
  script_xref(name:"IAVB", value:"2026-B-0142");

  script_name(english:"Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 Multiple Vulnerabilities (ESA-2026-30 / ESA-2026-33 / ESA-2026-34 / ESA-2026-36)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Kibana installed on the remote host is prior to 8.19.16 or 9.3.5. It is, therefore, affected by
multiple vulnerabilities as referenced in the ESA-2026-30, ESA-2026-33, ESA-2026-34, and ESA-2026-36 advisories.

  - A path traversal vulnerability was identified in Kibana's dashboard management functionality. An
    authenticated user with limited permissions could create a dashboard with a specially crafted identifier.
    When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the
    deletion request is redirected to an unintended internal endpoint, potentially resulting in the
    unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to
    perform a delete action on the maliciously crafted dashboard object. (CVE-2026-33462)

  - Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized
    information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded
    access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in
    possession of the token to retrieve the associated content after expiration. (CVE-2026-33463)

  - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive
    Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially
    increasing amounts of memory by submitting a specially crafted Timelion visualization expression
    containing deeply chained function calls. The resulting data structure grows without bound, exhausting
    available memory and causing the Kibana service to crash and become unavailable to all users.
    (CVE-2026-42399)

  - Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML
    injection. A user with write access to an Elasticsearch index could persist crafted markup which, when
    subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized.
    Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued
    from the viewing user's browser session. (CVE-2026-42401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported
version number.");
  # https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-30/386545
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e02694b8");
  # https://discuss.elastic.co/t/8-19-16-9-3-5-security-update-esa-2026-33/386551
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d161a394");
  # https://discuss.elastic.co/t/kibana-8-19-16-9-3-5-security-update-esa-2026-34/386552
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?874e7e98");
  # https://discuss.elastic.co/t/kibana-8-19-16-and-9-3-5-security-update-esa-2026-36/386556
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e535e43d");
  script_set_attribute(attribute:"solution", value:
"Update to Kibana version 8.19.16, 9.3.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33462");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:elasticsearch:kibana");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("kibana_web_detect.nbin");
  script_require_keys("installed_sw/Kibana");
  script_require_ports("Services/www", 5601);

  exit(0);
}

include('http.inc');
include('vcf.inc');

var app = 'Kibana';

get_install_count(app_name:app, exit_if_zero:TRUE);

var port = get_http_port(default:5601);

var app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);

var constraints = [
  { 'min_version' : '8.0.0', 'fixed_version' : '8.19.16' },
  { 'min_version' : '9.0.0', 'fixed_version' : '9.3.5' }
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE,
  flags:{"xss":TRUE}
);