Kibana 7.15.2 Security Update

Kibana Path Traversal issue (ESA-2021-26)

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.
Thanks to Dominic Couture for finding this vulnerability.

Affected Versions:

All versions from 7.9.0 through 7.15.1

Solutions and Mitigations:
Users should upgrade to Kibana version 7.15.2

CVSSv3: 3.1 - AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2021-37938


Kibana Information Disclosure issue (ESA-2021-27)

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.

Affected Versions:

All versions from 7.8.0 through 7.15.1

Solutions and Mitigations:

Users should upgrade to Kibana version 7.15.2

CVSSv3: 4.1 - AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
CVE ID: CVE-2021-37939