PT-2017-7670 · Elastic · Kibana

Published

2017-06-16

Updated

2020-08-14

CVE-2016-1000219

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Kibana versions prior to 4.5.4 Kibana versions prior to 4.1.11

Description The issue allows cookies and authorization headers to be written to log files when a custom output is configured for logging. This could potentially be used to hijack sessions of other users, especially when Kibana is used behind some form of authentication.

Recommendations For versions prior to 4.5.4, update to version 4.5.4 or later to resolve the issue. For versions prior to 4.1.11, update to version 4.1.11 or later to resolve the issue. As a temporary workaround, consider restricting access to log files to minimize the risk of session hijacking.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

CVE-2016-1000219

RHSA-2016:1836

Affected Products

Kibana

PT-2017-7670 · Elastic · Kibana

CVE-2016-1000219

Weakness Enumeration

Related Identifiers

Affected Products

References · 5