Kibana 6.0.1 and 5.6.5 security update


(Josh Bressers) #1

Kibana cross site scripting issue (ESA-2017-22)

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions: All prior to 6.0.1 and 5.6.5

Solutions and Mitigations:
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.

CVE ID: CVE-2017-11481


Kibana open redirect flaw (ESA-2017-23)

The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

Affected Versions: All prior to 6.0.1 and 5.6.5

Solutions and Mitigations:
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.

CVE ID: CVE-2017-11482