CVE-2018-17245

CRITICAL

Kibana <6.5 - Info Disclosure

Title source: llm

Description

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

References (2)

[Mitigation, Vendor Advisory] https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

[Vendor Advisory] https://www.elastic.co/community/security

Scores

CVSS v3 9.8

EPSS 0.0032

EPSS Percentile 54.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-201 CWE-522

Status published

Affected Products (1)

elastic/kibana < 4.6.0

Timeline

Published Dec 20, 2018

Tracked Since Feb 18, 2026