CVE-2018-17245
CRITICALKibana 4.0-4.6, 5.0-5.6.12, 6.0-6.4.2 - Credential Exposure in PDF Report Generation
Title source: llmDescription
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Scores
CVSS v3
9.8
EPSS
0.0032
EPSS Percentile
55.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-201
CWE-522
Status
published
Products (1)
elastic/kibana
4.0.0 - 4.6.0
Published
Dec 20, 2018
Tracked Since
Feb 18, 2026