CVE-2017-8443
MEDIUMKibana X-Pack Security < 5.4.3 - Unauthenticated Credential Exposure via Crafted Login URL
Title source: llmDescription
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Scores
CVSS v3
6.5
EPSS
0.0035
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
CWE-598
Status
published
Products (2)
elastic/kibana
< 5.4.2
Elastic/Kibana X-Pack Security
before 5.4.3
Published
Jun 30, 2017
Tracked Since
Feb 18, 2026