Security Vulnerabilities - CVEs Published In June 2017
Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.
CVSS Score
7.5
EPSS Score
0.006
Published
2017-06-16
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
CVSS Score
6.5
EPSS Score
0.002
Published
2017-06-16
Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-06-16
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-06-16
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.
CVSS Score
5.9
EPSS Score
0.003
Published
2017-06-16
X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-06-16
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-06-16
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-06-16
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSS Score
7.5
EPSS Score
0.006
Published
2017-06-16
GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application.
CVSS Score
7.5
EPSS Score
0.006
Published
2017-06-16