Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

Remediation

References

https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2022-44729 Vulnerability in maven package org.apache.xmlgraphics:batik-transcoder

CVE-2018-6341 Vulnerability in maven package org.webjars.bower:vue

CVE-2022-36886 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job

CVE-2023-36477 Vulnerability in maven package org.xwiki.platform:xwiki-platform-ckeditor-ui

CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-dist

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory