An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-01-21
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them.
The following Elasticsearch indices permissions are required
* write privilege on the system indices .kibana_ingest*
* The allow_restricted_indices flag is set to true
Any of the following Kibana privileges are additionally required
* Under Fleet the All privilege is granted
* Under Integration the Read or All privilege is granted
* Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
CVSS Score
9.1
EPSS Score
0.004
Published
2024-11-14
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.
CVSS Score
9.1
EPSS Score
0.006
Published
2024-08-13
An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.
CVSS Score
6.5
EPSS Score
0.004
Published
2024-07-30
A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack.
CVSS Score
4.9
EPSS Score
0.022
Published
2024-06-19
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-06-14
A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-06-13
Page 2