CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52972 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52972
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43707 – Kibana exposure of sensitive information to an unauthorized actor
https://notcve.org/view.php?id=CVE-2024-43707
23 Jan 2025 — An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. • https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43710 – Kibana server-side request forgery
https://notcve.org/view.php?id=CVE-2024-43710
23 Jan 2025 — A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. • https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52973 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52973
21 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-14-2-security-update-esa-2024-26/373443 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37287 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2024-37287
13 Aug 2024 — A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. • https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-23443
https://notcve.org/view.php?id=CVE-2024-23443
19 Jun 2024 — A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Un usuario con altos privilegios, al que se le permite crear paquetes de osquery personalizados 17, podría afectar la disponibilidad de Kibana al cargar un paquete de osquery creado con fines malintencionados. • https://github.com/zhazhalove/osquery_cve-2024-23443 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23442 – Kibana open redirect issue
https://notcve.org/view.php?id=CVE-2024-23442
14 Jun 2024 — An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Se descubrió un problema de redireccionamiento abierto en Kibana que podría llevar a que un usuario sea redirigido a un sitio web arbitrario si utiliza una URL de Kibana manipulada con fines malintencionados. • https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update/361502 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37279 – Kibana Broken Access Control issue
https://notcve.org/view.php?id=CVE-2024-37279
13 Jun 2024 — A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. Se descubrió una falla en Kibana, que permite a los usuarios de alertas de solo visualización usar la API run_soon, lo que hace que la regla de alerta se ejecute continuamente, lo que podría afectar la disponibilidad del sistema si la regla de alerta ejecuta consultas complejas. • https://discuss.elastic.co/t/kibana-8-14-0-security-update-esa-2024-15/360887 •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23446 – Kibana Broken Access Control issue
https://notcve.org/view.php?id=CVE-2024-23446
07 Feb 2024 — An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. Elastic descubrió un problema por el cual la API de búsqueda del motor de detección no respeta la seguridad a nivel de documento (D... • https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 • CWE-284: Improper Access Control •