CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52974
https://notcve.org/view.php?id=CVE-2024-52974
08 Apr 2025 — An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-15-1-security-update-esa-2024-36/376923 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52972 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52972
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52973 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52973
21 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-14-2-security-update-esa-2024-26/373443 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37287 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2024-37287
13 Aug 2024 — A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. • https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 3%CPEs: 2EXPL: 1CVE-2024-23443
https://notcve.org/view.php?id=CVE-2024-23443
19 Jun 2024 — A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Un usuario con altos privilegios, al que se le permite crear paquetes de osquery personalizados 17, podría afectar la disponibilidad de Kibana al cargar un paquete de osquery creado con fines malintencionados. • https://github.com/zhazhalove/osquery_cve-2024-23443 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23442 – Kibana open redirect issue
https://notcve.org/view.php?id=CVE-2024-23442
14 Jun 2024 — An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Se descubrió un problema de redireccionamiento abierto en Kibana que podría llevar a que un usuario sea redirigido a un sitio web arbitrario si utiliza una URL de Kibana manipulada con fines malintencionados. • https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update/361502 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46675 – Kibana Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2023-46675
13 Dec 2023 — An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations ... • https://discuss.elastic.co/t/kibana-8-11-2-7-17-16-security-update-esa-2023-27/349182/2 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38779
https://notcve.org/view.php?id=CVE-2022-38779
21 Feb 2023 — An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. • https://discuss.elastic.co/t/kibana-7-17-9-and-8-6-2-security-update/325782 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-38778
https://notcve.org/view.php?id=CVE-2022-38778
08 Feb 2023 — A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process. • https://discuss.elastic.co/t/elastic-7-17-9-8-5-0-and-8-6-1-security-update/324661 • CWE-20: Improper Input Validation •