NotCVE - vendor:"Elastic" product:"Kibana" version:"

Page 4 of 40 results (0.004 seconds)

CVSS: 9.3EPSS: 1%CPEs: 2EXPL: 0

CVE-2019-7610 – kibana: Audit logging Remote Code Execution issue

https://notcve.org/view.php?id=CVE-2019-7610

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Kibana anterior a versión 6.6.1, contienen un fallo de ejecución de código arbitrario en el registrador de auditoría de seguridad. Si una instancia de Kibana presenta la configuración xpack.security.audit.enabled establecida en true, un atacante podría enviar una petición que intente ejecutar código javascript. • https://access.redhat.com/errata/RHBA-2019:2824 https://access.redhat.com/errata/RHSA-2019:2860 https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 https://www.elastic.co/community/security https://access.redhat.com/security/cve/CVE-2019-7610 https://bugzilla.redhat.com/show_bug.cgi?id=1696032 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 9

CVE-2019-7609 – Kibana Arbitrary Code Execution

https://notcve.org/view.php?id=CVE-2019-7609

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecución de código arbitrario en el visualizador Timelion. Un atacante con acceso a la aplicación Timelion podría enviar una petición que intente ejecutar código javascript. • https://github.com/LandGrey/CVE-2019-7609 https://github.com/mpgn/CVE-2019-7609 https://github.com/hekadan/CVE-2019-7609 https://github.com/rhbb/CVE-2019-7609 https://github.com/wolf1892/CVE-2019-7609 https://github.com/Akshay15-png/CVE-2019-7609 https://github.com/dnr6419/CVE-2019-7609 https://github.com/OliveiraaX/CVE-2019-7609-KibanaRCE http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html https://access.redhat.com/errat • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.8EPSS: 96%CPEs: 3EXPL: 1

CVE-2018-17246

https://notcve.org/view.php?id=CVE-2018-17246

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Kibana, en versiones anteriores a la 6.4.3 y la 5.6.13, contiene un error de inclusión de archivos arbitrarios en el plugin Console. Un atacante con acceso a la API de la consola de Kibana podría enviar una petición que intentará ejecutar código JavaScript. • https://github.com/mpgn/CVE-2018-17246 http://www.securityfocus.com/bid/106285 https://access.redhat.com/errata/RHBA-2018:3743 https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594 https://www.elastic.co/community/security • CWE-73: External Control of File Name or Path CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

CVE-2018-17245

https://notcve.org/view.php?id=CVE-2018-17245

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider. Kibana, de la versión 4.0 a la 4.6, de la 5.0 a la 5.6.12 y de la 6.0 a la 6.4.2, contiene un error en la forma en la que las credenciales de autorización se emplean al generar informes en PDF. Si un informe solicita recursos externos, se incluyen las credenciales en texto plano en la petición HTTP, lo que podría ser recuperado por un proveedor de recursos externos. • https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594 https://www.elastic.co/community/security • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-522: Insufficiently Protected Credentials •

CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0

CVE-2018-3830 – kibana: Cross-site scripting via the source field formatter

https://notcve.org/view.php?id=CVE-2018-3830

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Las versiones 5.3.0 a 6.4.1 de Kibana presentaban una vulnerabilidad Cross-Site Scripting (XSS) a través del formateador de los campos de origen que podrían permitir a un atacante obtener información sensible o realizar acciones destructivas en nombre de otros usuarios de Kibana. • https://access.redhat.com/errata/RHSA-2018:3537 https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035 https://www.elastic.co/community/security https://access.redhat.com/security/cve/CVE-2018-3830 https://bugzilla.redhat.com/show_bug.cgi?id=1632450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1 2 3 4 5