cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-43708,https://securityvulnerability.io/vulnerability/CVE-2024-43708,Resource Allocation Flaw in Kibana by Elastic,"A resource allocation issue in Kibana allows for crashes triggered by specially crafted inputs. This vulnerability can be exploited by users with read access to any feature in Kibana, potentially disrupting the service and affecting users' experience.",Elastic,Kibana,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-23T10:27:30.753Z,0
CVE-2024-52972,https://securityvulnerability.io/vulnerability/CVE-2024-52972,Resource Allocation Vulnerability in Kibana by Elastic,"A vulnerability in Kibana allows for resource allocation without proper limits or throttling. This can lead to service disruptions when specially crafted requests are sent to the /api/metrics/snapshot endpoint. Users with read access to the Observability Metrics or Logs features can exploit this flaw, potentially causing the system to crash.",Elastic,Kibana,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-23T06:11:10.715Z,0
CVE-2024-43707,https://securityvulnerability.io/vulnerability/CVE-2024-43707,Information Disclosure in Kibana Affects Elastic Products,"A security issue in Kibana allows unauthorized users to access Elastic Agent policies, potentially exposing sensitive data. The extent of the information disclosure varies based on the enabled integrations for the Elastic Agent and their versions. This vulnerability could lead to unauthorized access to sensitive configurations, emphasizing the need for securing user permissions within the Kibana interface.",Elastic,Kibana,7.7,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-23T06:08:10.724Z,607
CVE-2024-43710,https://securityvulnerability.io/vulnerability/CVE-2024-43710,Server Side Request Forgery in Kibana by Elastic,"A server side request forgery vulnerability was discovered in Kibana, allowing users with read access to the Fleet feature to exploit the /api/fleet/health_check API. This security flaw enables the sending of unauthorized requests to internal endpoints over HTTPS, targeting those that return JSON responses. It is crucial for users of Kibana to update their systems and review access controls to mitigate potential risks associated with this vulnerability.",Elastic,Kibana,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-23T06:06:38.572Z,0
CVE-2024-52973,https://securityvulnerability.io/vulnerability/CVE-2024-52973,Resource Allocation Flaw in Kibana by Elastic,"A resource allocation issue in Kibana allows users with read access to the Observability-Logs feature to crash the application by sending a specially crafted request to the /api/log_entries/summary endpoint. This vulnerability does not impose limits or throttling, which can lead to severe application stability issues and unauthorized control over resource consumption.",Elastic,Kibana,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-21T11:04:06.547Z,0
CVE-2024-37288,https://securityvulnerability.io/vulnerability/CVE-2024-37288,Deserialization vulnerability in Kibana can lead to arbitrary code execution,"A vulnerability in Kibana has been identified, stemming from a deserialization issue that may allow for arbitrary code execution. This flaw occurs specifically when Kibana attempts to process a maliciously crafted YAML document. Only instances of Kibana that leverage Elastic Security’s integrated AI tools and have seamlessly configured an Amazon Bedrock connector are impacted. Users of these features should exercise caution and apply security updates to mitigate potential risks associated with this vulnerability.",Elastic,Kibana,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-09-09T08:29:51.918Z,0
CVE-2024-37287,https://securityvulnerability.io/vulnerability/CVE-2024-37287,Prototype Pollution Vulnerability in Kibana Allows Arbitrary Code Execution,"Summary: A critical security flaw has been identified in Kibana, a popular open-source data visualization and exploration tool, with a vulnerability that allows attackers to execute arbitrary code. The vulnerability, tracked as CVE-2024-37287, has a critical severity rating and affects various Kibana environments, including self-managed installations, instances running the Kibana Docker image, and those on Elastic Cloud. Users are strongly advised to upgrade to Kibana version 8.14.2 or 7.17.23 to address the flaw and protect their systems. There are no known exploitations in the wild by ransomware groups at this time.",Elastic,Kibana,7.2,HIGH,0.0004900000058114529,false,,true,false,true,2024-08-07T08:09:08.000Z,,false,false,,2024-08-13T11:33:45.520Z,0
CVE-2024-37281,https://securityvulnerability.io/vulnerability/CVE-2024-37281,Kibana Denial of Service issue,"A vulnerability has been identified in Kibana that allows a user with a Viewer role to exploit the system's request handling functionality. By sending a substantial number of specially crafted requests to a designated endpoint, an attacker can cause the Kibana instance to experience crashes. This issue not only disrupts the service but also affects users' access to important analytics and visualizations, highlighting the need for prompt updates and security measures to mitigate such threats.",Elastic,Kibana,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-30T21:45:36.488Z,0
CVE-2024-23443,https://securityvulnerability.io/vulnerability/CVE-2024-23443,Kibana Vulnerability Affecting Elastic Product,"A vulnerability in Kibana allows a high-privileged user to create and upload a custom osquery pack that could potentially disrupt the availability of the application. If exploited, this could lead to unintentional denial-of-service conditions, emphasizing the need for rigorous access controls and monitoring of user actions within Kibana.",Elastic,Kibana,4.9,MEDIUM,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-06-19T13:47:29.166Z,0
CVE-2024-23442,https://securityvulnerability.io/vulnerability/CVE-2024-23442,Kibana Open Redirect Vulnerability Could Lead to Arbitrary Website Redirection,An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.,Elastic,Kibana,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-06-14T14:26:53.169Z,0
CVE-2024-37279,https://securityvulnerability.io/vulnerability/CVE-2024-37279,"Kibana Flaw Allows View-Only Users to Continuously Run Alerting Rules, Affecting System Availability","A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.",Elastic,Kibana,4.3,MEDIUM,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-06-13T17:04:41.737Z,0
CVE-2024-23446,https://securityvulnerability.io/vulnerability/CVE-2024-23446,Unauthorized Access to Documents via DLS/FLS in .alerts-security.alerts-{space_id} Indices,"An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.",Elastic,Kibana,6.5,MEDIUM,0.000750000006519258,false,,false,false,false,,,false,false,,2024-02-07T03:16:39.182Z,0
CVE-2023-46671,https://securityvulnerability.io/vulnerability/CVE-2023-46671,Kibana Insertion of Sensitive Information into Log File,"An information exposure vulnerability exists in Kibana, allowing sensitive data such as account credentials and API keys to be logged in case of errors during user interactions with an unhealthy Elasticsearch cluster. This issue arises infrequently, specifically during error conditions like circuit breaker or no shard exceptions. Users are advised to upgrade to Kibana version 8.11.1, which mitigates this risk by preventing sensitive information from being recorded in the logs.",Elastic,Kibana,8,HIGH,0.0006300000241026282,false,,false,false,false,,,false,false,,2023-12-13T07:15:00.000Z,0
CVE-2023-46675,https://securityvulnerability.io/vulnerability/CVE-2023-46675,Kibana Insertion of Sensitive Information into Log File,"A vulnerability in Elastic's Kibana could allow sensitive information to be unintentionally included in logs during error events, especially when debug-level logging is enabled. This logging behavior may expose account credentials, API keys, and private data related to Elastic Security integrations, creating potential security risks for affected users. Users are encouraged to upgrade to Kibana version 8.11.2 or later to mitigate the risk.",Elastic,Kibana,8,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2023-12-13T07:15:00.000Z,0
CVE-2021-22142,https://securityvulnerability.io/vulnerability/CVE-2021-22142,Kibana Reporting vulnerabilities,"Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.",Elastic,Kibana,6.6,MEDIUM,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-11-22T01:00:25.568Z,0
CVE-2021-22151,https://securityvulnerability.io/vulnerability/CVE-2021-22151,Kibana path traversal issue,"It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.",Elastic,Kibana,3.1,LOW,0.0006300000241026282,false,,false,false,false,,,false,false,,2023-11-22T00:36:51.150Z,0
CVE-2021-22150,https://securityvulnerability.io/vulnerability/CVE-2021-22150,Kibana code execution issue,"It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.
",Elastic,Kibana,6.6,MEDIUM,0.0009299999801442027,false,,false,false,false,,,false,false,,2023-11-22T00:30:56.115Z,0
CVE-2023-31422,https://securityvulnerability.io/vulnerability/CVE-2023-31422,Kibana Insertion of Sensitive Information into Log File,"A vulnerability has been identified in Elastic Kibana, where sensitive user information may be unintentionally recorded in logs during error events. This issue specifically affects Kibana version 8.10.0, particularly when utilizing JSON logging and certain pattern configurations that incorporate the %meta pattern. The logged error objects may include highly sensitive data such as authentication credentials, cookies, authorization headers, and query parameters, potentially revealing account details for users such as kibana_system and kibana-metricbeat. To mitigate this risk, users are advised to upgrade to Kibana 8.10.1, which addresses this logging issue.",Elastic,Kibana,7.5,HIGH,0.0014299999456852674,false,,false,false,false,,,false,false,,2023-10-26T02:15:00.000Z,0
CVE-2023-31414,https://securityvulnerability.io/vulnerability/CVE-2023-31414,Arbitrary Code Execution in Kibana by Elastic,"Kibana versions 8.0.0 through 8.7.0 are susceptible to an arbitrary code execution vulnerability. This flaw allows an attacker with write access to the Kibana YAML or environment configuration files to inject a malicious payload. Upon execution, this payload could run JavaScript code, enabling the attacker to execute arbitrary commands on the host machine with the same permissions as the Kibana process. This vulnerability emphasizes the importance of securing configuration files and managing user permissions to mitigate potential risks.",Elastic,Kibana,8.8,HIGH,0.0016599999507889152,false,,false,false,false,,,false,false,,2023-05-04T00:00:00.000Z,0
CVE-2023-31415,https://securityvulnerability.io/vulnerability/CVE-2023-31415,Arbitrary Code Execution Vulnerability in Kibana by Elastic,"In Kibana version 8.7.0, an arbitrary code execution vulnerability has been identified that allows an attacker with all privileges to the Uptime/Synthetics feature to send a specially crafted request. This request can execute arbitrary JavaScript code on the server, potentially allowing the attacker to run commands with the same permissions as the Kibana process. This poses a serious security risk, as it could enable unauthorized access to host systems and sensitive data.",Elastic,Kibana,8.8,HIGH,0.0016599999507889152,false,,false,false,false,,,false,false,,2023-05-04T00:00:00.000Z,0
CVE-2022-38779,https://securityvulnerability.io/vulnerability/CVE-2022-38779,Open Redirect Vulnerability in Kibana by Elastic,"An open redirect vulnerability was identified in Kibana, enabling attackers to craft malicious URLs that redirect users to arbitrary and potentially harmful websites. This issue highlights the need for robust URL validation mechanisms to prevent unauthorized redirects, thereby safeguarding users from phishing attempts and other malicious activities.",Elastic,Kibana,6.1,MEDIUM,0.0007300000288523734,false,,false,false,false,,,false,false,,2023-02-22T00:15:00.000Z,0
CVE-2022-38778,https://securityvulnerability.io/vulnerability/CVE-2022-38778,Server Crash Vulnerability in Kibana by Elastic,"A vulnerability exists in Kibana due to a flaw in a third-party dependency that could allow an authenticated user to issue a request that may crash the Kibana server process. This flaw poses a risk to service availability, potentially disrupting operations for users relying on Kibana for data visualization and management.",Elastic,Kibana,6.5,MEDIUM,0.0008500000112690032,false,,false,false,false,,,false,false,,2023-02-08T00:00:00.000Z,0
CVE-2021-22141,https://securityvulnerability.io/vulnerability/CVE-2021-22141,Open Redirect Vulnerability in Kibana by Elastic,"An open redirect vulnerability exists in Kibana, allowing a logged-in user to be redirected to arbitrary external websites after accessing a specially crafted URL. This issue affects Kibana versions prior to 7.13.0 and 6.8.16, presenting a risk of phishing attacks, as attackers could leverage this flaw to mislead users into visiting malicious sites.",Elastic,Kibana,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2022-11-18T00:00:00.000Z,0
CVE-2021-37936,https://securityvulnerability.io/vulnerability/CVE-2021-37936,HTML Injection Vulnerability in Kibana from Elastic,"An HTML injection vulnerability exists in Kibana due to improper sanitization of document fields containing HTML snippets. An attacker with write access to an Elasticsearch index could exploit this flaw by injecting HTML into the documents. This could lead to the malicious HTML being rendered when users utilize the Discover app to highlight search terms, potentially compromising user interactions and exposing them to security risks.",Elastic,Kibana,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2022-11-18T00:00:00.000Z,0
CVE-2022-23713,https://securityvulnerability.io/vulnerability/CVE-2022-23713,Cross-Site Scripting Vulnerability in Vega Charts Integration for Kibana by Elastic,"A cross-site scripting (XSS) vulnerability has been identified in the Vega Charts integration for Kibana by Elastic. This vulnerability could potentially allow an attacker to inject and execute arbitrary JavaScript code in the browsers of users accessing the compromised content. Such exploitation could lead to unauthorized actions on behalf of users, data theft, or the injection of malicious scripts that could harm the user's system or compromise sensitive information.",Elastic,Kibana,6.1,MEDIUM,0.0007900000200606883,false,,false,false,false,,,false,false,,2022-07-06T13:56:13.000Z,0