kibana

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Browser based analytics and search dashboard for Elasticsearch
Version 7.10.2-1 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-1570 7.10.2-1 Medium Vulnerable FS#70038
Issue Group Severity Remote Type Description
CVE-2021-37936 AVG-1570 Medium Yes Content spoofing
A security issue has been found in kibana before version 7.14.1. It was discovered that kibana was not sanitizing document fields containing html snippets....
CVE-2021-22151 AVG-1570 Medium Yes Directory traversal
A security issue has been found in kibana before version 7.14.1. It was discovered that Kibana was not validating a user supplied path, which would load...
CVE-2021-22150 AVG-1570 Medium Yes Arbitrary code execution
A security issue has been found in kibana before version 7.14.1. It was discovered that a user with fleet admin permissions could upload a malicious...
CVE-2021-22142 AVG-1570 Medium Yes Insufficient validation
Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions...
CVE-2021-22141 AVG-1570 Medium Yes Open redirect
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana...
CVE-2021-22139 AVG-1570 Medium Yes Denial of service
A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with...
CVE-2021-22136 AVG-1570 Medium Yes Incorrect calculation
A flaw in Kibana versions before 7.12.0 and 6.8.15 was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2323 7.10.1-1 7.10.2-1 High Fixed FS#70038
AVG-1210 7.8.0-1 7.9.1-1 High Fixed
AVG-911 6.6.0-2 6.6.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2020-26296 AVG-2323 High Yes Cross-site scripting
The Kibana “Vega” visualization type is susceptible to both stored and reflected cross-site scripting (XSS) via a vulnerable version of the Vega library....
CVE-2020-7017 AVG-1210 High Yes Content spoofing
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region...
CVE-2020-7016 AVG-1210 Medium Yes Denial of service
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana...
CVE-2019-7610 AVG-911 High Yes Arbitrary code execution
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting...
CVE-2019-7609 AVG-911 High Yes Arbitrary code execution
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion...
CVE-2019-7608 AVG-911 High Yes Information disclosure
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from, or...

Advisories

Date Advisory Group Severity Type
25 Feb 2019 ASA-201902-26 AVG-911 High multiple issues