Description
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/99178
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Scores
CVSS v3
7.5
EPSS
0.0068
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-285
Status
published
Products (1)
elastic/kibana
4.1.0 - 4.1.11
Published
Jun 16, 2017
Tracked Since
Feb 18, 2026