kibana
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | Browser based analytics and search dashboard for Elasticsearch |
| Version | 7.10.2-1 [community] |
Open
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1570 | 7.10.2-1 | Medium | Vulnerable | FS#70038 |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-37936 | AVG-1570 | Medium | Yes | Content spoofing | A security issue has been found in kibana before version 7.14.1. It was discovered that kibana was not sanitizing document fields containing html snippets.... |
| CVE-2021-22151 | AVG-1570 | Medium | Yes | Directory traversal | A security issue has been found in kibana before version 7.14.1. It was discovered that Kibana was not validating a user supplied path, which would load... |
| CVE-2021-22150 | AVG-1570 | Medium | Yes | Arbitrary code execution | A security issue has been found in kibana before version 7.14.1. It was discovered that a user with fleet admin permissions could upload a malicious... |
| CVE-2021-22142 | AVG-1570 | Medium | Yes | Insufficient validation | Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions... |
| CVE-2021-22141 | AVG-1570 | Medium | Yes | Open redirect | An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana... |
| CVE-2021-22139 | AVG-1570 | Medium | Yes | Denial of service | A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with... |
| CVE-2021-22136 | AVG-1570 | Medium | Yes | Incorrect calculation | A flaw in Kibana versions before 7.12.0 and 6.8.15 was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was... |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2323 | 7.10.1-1 | 7.10.2-1 | High | Fixed | FS#70038 |
| AVG-1210 | 7.8.0-1 | 7.9.1-1 | High | Fixed | |
| AVG-911 | 6.6.0-2 | 6.6.1-1 | High | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2020-26296 | AVG-2323 | High | Yes | Cross-site scripting | The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library.... |
| CVE-2020-7017 | AVG-1210 | High | Yes | Content spoofing | In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region... |
| CVE-2020-7016 | AVG-1210 | Medium | Yes | Denial of service | Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana... |
| CVE-2019-7610 | AVG-911 | High | Yes | Arbitrary code execution | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting... |
| CVE-2019-7609 | AVG-911 | High | Yes | Arbitrary code execution | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion... |
| CVE-2019-7608 | AVG-911 | High | Yes | Information disclosure | Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from, or... |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 25 Feb 2019 | ASA-201902-26 | AVG-911 | High | multiple issues |