Kibana markdown parser Cross Site Scripting (XSS) error (ESA-2017-16)
Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions: All prior to 5.5.2 and 4.6.5
Solutions and Mitigations:
Users should upgrade to Kibana version 5.5.2 or 4.6.5.
Reporting impersonation error (ESA-2017-17)
The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.
Affected Versions: All prior to 5.5.2 and 2.4.6
Solutions and Mitigations:
Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
CVE ID: CVE-2017-8446