Kibana

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.

Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.

Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.

Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Kibana's Email Connector fails to properly validate email address parameters, allowing authenticated users with view-level privileges to trigger excessive resource allocation and crash the service. An attacker can exploit this input validation flaw by submitting a specially crafted email address to cause complete denial of service, requiring manual service restart to restore availability for all users. No patch is currently available.

Kibana Fleet is vulnerable to denial of service through uncontrolled resource allocation when processing specially crafted bulk retrieval requests, allowing authenticated users with viewer-level privileges to exhaust server memory and crash the application. An attacker can trigger redundant database operations that consume resources without limits, rendering the service unavailable to all users. No patch is currently available for this vulnerability.

Kibana Fleet fails to limit resource allocation when processing specially crafted requests, allowing authenticated attackers to trigger excessive CPU and memory consumption that degrades or completely disables the service. The vulnerability affects Kibana deployments where users have authentication access, and no patch is currently available to remediate the issue.

Denial of Service in Prometheus and Kibana metricsets can be triggered by sending specially crafted malformed payloads to Graphite, Zookeeper, or Prometheus data sources due to improper array index validation and input validation flaws. An unauthenticated attacker on the network can exploit this to crash monitoring services without user interaction. No patch is currently available.

Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.

A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.