Permissions, Privileges, and Access Controls in Kibana - CVE-2016-10364
Published: June 17, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38852
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-10364
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana
Kibana
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
How to mitigate CVE-2016-10364
Install update from vendor's website.