Elastic Stack 7.13.0 and 6.8.16 Security Update

Kibana url redirection flaw (ESA-2021-12)

An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.

Affected Versions:

All versions of Kibana before 7.13.0 and 6.8.16.

Solutions and Mitigations:

Users should update their version of Kibana to 7.13.0 or 6.8.16.

CVSSv3 - 4.3: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE ID: CVE-2021-22141

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')


Kibana Reporting vulnerabilities (ESA-2021-13)

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

Affected Versions:

All versions of Kibana after 7.0.0 and before 7.13.0

Solutions and Mitigations:

Users should update their version of Kibana to 7.13.0

CVSSv3 - 6.6: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2021-22142

CWE-1104: Use of Unmaintained Third Party Components