CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52972 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52972
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43707 – Kibana exposure of sensitive information to an unauthorized actor
https://notcve.org/view.php?id=CVE-2024-43707
23 Jan 2025 — An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. • https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52973 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52973
21 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-14-2-security-update-esa-2024-26/373443 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37287 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2024-37287
13 Aug 2024 — A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. • https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-23443
https://notcve.org/view.php?id=CVE-2024-23443
19 Jun 2024 — A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Un usuario con altos privilegios, al que se le permite crear paquetes de osquery personalizados 17, podría afectar la disponibilidad de Kibana al cargar un paquete de osquery creado con fines malintencionados. • https://github.com/zhazhalove/osquery_cve-2024-23443 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23442 – Kibana open redirect issue
https://notcve.org/view.php?id=CVE-2024-23442
14 Jun 2024 — An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Se descubrió un problema de redireccionamiento abierto en Kibana que podría llevar a que un usuario sea redirigido a un sitio web arbitrario si utiliza una URL de Kibana manipulada con fines malintencionados. • https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update/361502 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23446 – Kibana Broken Access Control issue
https://notcve.org/view.php?id=CVE-2024-23446
07 Feb 2024 — An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. Elastic descubrió un problema por el cual la API de búsqueda del motor de detección no respeta la seguridad a nivel de documento (D... • https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 • CWE-284: Improper Access Control •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46675 – Kibana Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2023-46675
13 Dec 2023 — An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations ... • https://discuss.elastic.co/t/kibana-8-11-2-7-17-16-security-update-esa-2023-27/349182/2 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46671 – Kibana Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2023-46671
13 Dec 2023 — An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returni... • https://discuss.elastic.co/t/8-11-1-7-17-15-security-update-esa-2023-25/347149 • CWE-532: Insertion of Sensitive Information into Log File •