Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

Remediation

References

https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2023-37478 Vulnerability in npm package @pnpm/macos-arm64

CVE-2019-1003022 Vulnerability in maven package org.jvnet.hudson.plugins:monitoring

CVE-2023-30516 Vulnerability in maven package org.jenkins-ci.plugins:image-tag-parameter

CVE-2022-28157 Vulnerability in maven package com.surenpi.jenkins:phoenix-autotest

CVE-2021-41182 Vulnerability in maven package org.webjars.npm:jquery-ui

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory