Kibana incomplete fix for ESA-2017-23 (ESA-2018-03)
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Affected Versions
All versions before 6.1.3 and 5.6.7
Solutions and Mitigations:
Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
CVE ID: CVE-2018-3819
Kibana XSS in labs visualizations (ESA-2018-04)
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions
All versions after 6.1.0 and before 6.1.3
Solutions and Mitigations:
Users of affected versions should upgrade to Kibana version 6.1.3. There are no known workarounds for this issue.
CVE ID: CVE-2018-3820
Kibana XSS in tag cloud visualization (ESA-2018-05)
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions
All versions after 5.1.1 and before 5.6.7 and 6.1.3
Solutions and Mitigations:
Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
CVE ID: CVE-2018-3821