CVE-2018-17245

Published: Dec 20, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

Affected (3)

Products: Elastic: Kibana

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	From 4.0.0 to 4.6.0
Elastic Kibana	From 5.0.0 to 5.6.12
Elastic Kibana	From 6.0.0 to 6.4.2

Related CWEs

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

Source: security@elastic.co

MitigationVendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.