Use of JavaScript Library with Known Vulnerability


We have done Qualys Was Security Test on Kibana [version 6.6.1 ]and we are getting use of JavaScript Library with Known Vulnerability .

Description of Vulnerability :-

Vulnerable javascript library: jQuery
version: 3.3.1
CVE-2019-11358: jQuery versions below 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized
source object containing an enumerable proto property could extend the native Object.prototype. Please refer following resources for more details:
Found on the following pages (only first 10 pages are reported):

Can you please help us to resolve this issue.

The latest version of Kibana is currently on jQuery 3.4.1. I'm not sure what our patching policy is, but I will ask the security team.

My advice would be to upgrade to Kibana 7.x or at least to the latest 6.x.

Hey @Varun_S, for security reports like these in the future please send an e-mail to per

Our usages of jQuery in Kibana weren't vulnerable to this CVE, but we've upgraded jQuery to 3.4.1 starting in Kibana 7.2.0 to prevent vulnerability scanners from reporting this issue.

Thanks @christophilus

Thanks @Brandon_Kobel...

I will upgrade kibana and will run the Scan.

You will need to upgrade the entire stack.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.