#VU16833 Information disclosure in Kibana - CVE-2018-17245
Published: January 8, 2019
Vulnerability identifier: #VU16833
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-17245
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Kibana
Kibana
Software vendor:
Elastic Stack
Elastic Stack
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw when authorization credentials are used for generating PDF reports, Native, or File realms. A remote attacker can obtain potentially sensitive information if a report requests external resources plaintext credentials are included in the HTTP request that can be recovered by an external resource provider.
The weakness exists due to a flaw when authorization credentials are used for generating PDF reports, Native, or File realms. A remote attacker can obtain potentially sensitive information if a report requests external resources plaintext credentials are included in the HTTP request that can be recovered by an external resource provider.
Remediation
The vulnerability has been fixed in the versions 6.4.3 and 5.6.13.