Kibana Security Vulnerabilities and Issues — Kibana CVE List

Lucene search

ElasticKibana

9 matches found

CVE•added 2021/06/02 11:15 a.m.•332 views

CVE-2020-10743

It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacki...

4.3CVSS4.5AI score0.00134EPSS

CVE•added 2022/03/03 10:15 p.m.•124 views

CVE-2022-23709

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privileg...

4.3CVSS4.3AI score0.00221EPSS

CVE•added 2019/07/30 10:15 p.m.•99 views

CVE-2019-7616

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an at...

4.9CVSS5.8AI score0.09517EPSS

CVE•added 2024/06/13 5:15 p.m.•85 views

CVE-2024-37279

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.

4.3CVSS4.3AI score0.00124EPSS

CVE•added 2024/06/19 2:15 p.m.•69 views

CVE-2024-23443

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack.

4.9CVSS5.1AI score0.03597EPSS

CVE•added 2021/11/18 4:15 p.m.•65 views

CVE-2021-37939

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors...

4CVSS3.4AI score0.00166EPSS

CVE•added 2015/06/15 3:59 p.m.•54 views

CVE-2015-4093

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.7AI score0.00237EPSS

CVE•added 2023/11/22 1:15 a.m.•52 views

CVE-2021-22151

It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.

4.3CVSS4.1AI score0.00803EPSS

CVE•added 2021/11/18 4:15 p.m.•45 views

CVE-2021-37938

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture ...

4.3CVSS4.5AI score0.00273EPSS