Open Redirect

Affecting kibana package, versions >=5.1.1 <5.6.7 || >=6.0.0 <6.1.3

Do your applications use this vulnerable package? Test your applications

Overview

kibana is Kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elastic.

Affected versions of the package are vulnerable to Open Redirect the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

Remediation

Upgrade kibana to version 5.6.7, 6.1.3 or higher.

References

CVSS Score

6.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Credit
Unknown
CVE
CVE-2018-3819
CWE
CWE-601
Snyk ID
npm:kibana:20180130-2
Disclosed
29 Jan, 2018
Published
01 Mar, 2018