Kibana prone to CSRF Attack

Dear Team,

Security team has raised a flag that Kibana is prone to CSRF attack . We have deployed latest version of ECK Components. Please can you guide me if there is any settings which can help to fix this.

ECK 1.1.2
Elastic 7.8.0
Kibana 7.8.0

I was under impression that this vulnerability was fixed in Kiaban 5.x+ versions.

Please help.

Thanks.

Any more details from your security team on the vulnerability they've detected? If they saw it manually, what pages and elements were they looking at? Or if an automatic tool flagged Kibana as vulnerable, can you provide the output of the tool?

Send these details to https://www.elastic.co/community/security rather than posting the answers here.

I was under impression that this vulnerability was fixed in Kiaban 5.x+ versions.

That's still correct, the last known CSRF vulnerability isn't present in Kibana 5 or above. List of public vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-13554/product_id-31867/Elasticsearch-Kibana.html . So if there is no mistake and your team has detected a new one, please have them send details to that page ^ ASAP, your report would be much appreciated.

Hi @Emanuil I have send the data to security but i did not hear back. What will be the best way to follow up on that. Thanks.

Let's move this to direct messages, thanks for reporting. I'll follow up.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.