Kibana url redirection flaw (ESA-2021-12)
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
Affected Versions:
All versions of Kibana before 7.13.0 and 6.8.16.
Solutions and Mitigations:
Users should update their version of Kibana to 7.13.0 or 6.8.16.
CVSSv3 - 4.3: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE ID: CVE-2021-22141
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Kibana Reporting vulnerabilities (ESA-2021-13)
Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.
Affected Versions:
All versions of Kibana after 7.0.0 and before 7.13.0
Solutions and Mitigations:
Users should update their version of Kibana to 7.13.0
CVSSv3 - 6.6: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2021-22142
CWE-1104: Use of Unmaintained Third Party Components