CVE-2020-26296 - log back

CVE-2020-26296 edited at 15 Feb 2021 14:15:09
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser. The issue is fixed in Kibana versions 7.10.2 and 6.8.14.
References
+ https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by disabling Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file.
CVE-2020-26296 created at 15 Feb 2021 14:08:57