Elastic: Security Vulnerabilities
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-09-29
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
CVSS Score
5.5
EPSS Score
0.0
Published
2017-08-18
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.
CVSS Score
5.9
EPSS Score
0.003
Published
2017-08-09
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.
CVSS Score
6.5
EPSS Score
0.004
Published
2017-07-07
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
CVSS Score
6.5
EPSS Score
0.004
Published
2017-06-30
Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.
CVSS Score
7.5
EPSS Score
0.012
Published
2017-06-27
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-06-16
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-06-16
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
CVSS Score
7.5
EPSS Score
0.007
Published
2017-06-16
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-06-16