Multiple vulnerabilities in Kibana
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-8439 CVE-2017-8440 |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Kibana Web applications / Other software |
| Vendor | Elastic Stack |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU38921
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-8439
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
MitigationInstall update from vendor's website.
Vulnerable software versionsKibana: 5.4.0
CPE2.3 External linkshttps://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952
https://www.elastic.co/blog/kibana-5-4-1-and-5-3-3-released
https://www.elastic.co/community/security
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU38922
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-8440
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
MitigationInstall update from vendor's website.
Vulnerable software versionsKibana: 5.3.0 - 5.4.0
CPE2.3- cpe:2.3:a:elastic_stack:kibana:5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:elastic_stack:kibana:5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:elastic_stack:kibana:5.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:elastic_stack:kibana:5.4.0:*:*:*:*:*:*:*
https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952
https://www.elastic.co/blog/kibana-5-4-1-and-5-3-3-released
https://www.elastic.co/community/security
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
