Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

Remediation

References

https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2022-41252 Vulnerability in maven package org.jenkins-ci.plugins:cons3rt

CVE-2019-7619 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2016-10027 Vulnerability in maven package org.igniterealtime.smack:smack-tcp

CVE-2023-37478 Vulnerability in npm package @pnpm/exe

CVE-2023-28155 Vulnerability in maven package org.webjars:request

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory