Versions
Versions 7.0.0 through 7.17.8 and 8.0.0 through 8.6.0
Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3
Kibana Versions 7.0.0 through 7.17.8 and 8.0.0 through 8.6.1
Versions 7.7.0 through 7.17.0, and 8.0.0
Versions 7.2.1 through 7.17.2 & 8.0.0 through 8.1.2
7.7.0
5.1.1 to 6.1.2 and 5.6.6
before 6.6.1
7.9.0
All versions before 6.1.3 and 5.6.7
All versions from 7.8.0 through 7.15.1
before 6.8.6 and 7.5.1
8.10.0
before 7.2.1 and 6.8.2
7.5.1 through 7.16.3
before 7.12.0 and 6.8.15
7.7.0, 8.0.0
versions 8.0.0 through 8.7.0
8.11.1
before 4.1.3 and 4.2.1
before 5.2.1
6.7.0 to 6.8.8 and 7.0.0 to 7.6.2
8.6.3
before 6.8.11 and 7.8.1
7.10.2
5.4.1
versions before 7.14.1
before 5.0.1 and 4.6.3
5.3.0 to 5.3.3
7.0.0
before 7.12.1
5.4.0
before 6.8.9 and 7.7.0
All versions from 7.9.0 through 7.15.1
after 5.1.1 and before 5.6.7 and 6.1.3
7.17.21
8.x
7.x
4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2
8.13.4
before 5.6.15 and 6.6.1
8.12.0
0
after 6.1.0 and before 6.1.3
after 5.3.0, before 5.6.12 and 6.4.1
before 6.0.1 and 5.6.5
All versions of Kibana before 7.13.0 and 6.8.16.
7.13.0
8.15.0
4.3 to 4.6.2
before 6.4.3 and 5.6.13
8.0.0
version 8.7.0
Recent CVEs
CVE-2024-52972
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.
CVE-2024-43707
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
CVE-2024-43708
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.
CVE-2024-37285
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
CVE-2024-37288
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .
CVE-2024-37287
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.
CVE-2023-46675
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete.
CVE-2023-46671
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).
CVE-2021-22142
Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.
CVE-2023-31422
An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.