CVE-2016-10364

MEDIUM

Kibana 5.0.0-5.0.1 - Authenticated Privilege Escalation via Advanced Settings and Short URL Service

Title source: llm
STIX 2.1

Description

With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security

Scores

CVSS v3 6.5
EPSS 0.0017
EPSS Percentile 37.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-264 CWE-306
Status published
Products (3)
Elastic/Elastic X-Pack Security before 5.0.2
elastic/kibana 5.0.0
elastic/kibana 5.0.1
Published Jun 16, 2017
Tracked Since Feb 18, 2026