Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

Remediation

References

https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2016-7103 Vulnerability in maven package org.webjars.bower:jquery-ui

CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:api-ldap-client-all

CVE-2023-28155 Vulnerability in npm package request

CVE-2017-4960 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

CVE-2017-1000118 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.11

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory