Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Kibana
(Elastic)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 57 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-06-13 | CVE-2024-37279 | A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. | Kibana | 4.3 | ||
| 2024-09-09 | CVE-2024-37288 | A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | Kibana | 8.8 | ||
| 2024-08-13 | CVE-2024-37287 | A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. | Kibana | 7.2 | ||
| 2024-06-19 | CVE-2024-23443 | A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. | Kibana | 4.9 | ||
| 2024-06-14 | CVE-2024-23442 | An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. | Kibana | 6.1 | ||
| 2019-03-25 | CVE-2019-7609 | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | Kibana, Openshift_container_platform | 10.0 | ||
| 2024-02-07 | CVE-2024-23446 | An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. | Kibana | 6.5 |