11 matches found
Improper Validation of Specified Type of Input
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the Fleet agent policy management. An attacker can gain unauthorized read and...
Allocation of Resources Without Limits or Throttling
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bulk retrieval endpoint. An attacker can exhaust system memory and...
Allocation of Resources Without Limits or Throttling
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the handling of HTTP requests. An attacker can exhaust computing...
Origin Validation Error
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Origin Validation Error via improper validation of the Origin HTTP header in the Observability AI Assistant. An attacker can make...
Insufficiently Protected Credentials
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the CrowdStrike connector. An attacker can obtain CrowdStrike credentials by accessing...
Incorrect Authorization
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Incorrect Authorization via the built-in reportinguser role, which is incorrectly grants access to all Spaces. An attacker can gai...
Kibana 7.17.x < 7.17.19 / 8.0.x < 8.13.0 File Upload (ESA-2024-47)
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported...
Elastic 7.17.9, 8.5.0 and 8.6.1 Security Update
Kibana authenticated Denial of Service issue ESA-2023-02 A flawCVE-2022-38900 was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to to perform a request that crashes the Kibana server process. Affected Versions: Kibana Versions 7.0.0 through 7.17.8...
Elastic Stack 7.14.1 Security Update
Kibana code execution issue ESA-2021-21 It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana...
Elastic Stack 6.8.11 and 7.8.1 security update
Kibana regular expression denial of service flaw ESA-2020-09 Kibana versions before 6.8.11 and 7.8.1 contain a denial of service DoS flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming...
Elastic Stack 7.7.1 and 6.8.10 Security Update
Kibana cross site scripting XSS issue ESA-2020-08 The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users wh...