kibana@5.1.1 vulnerabilities

Kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elastic

Direct Vulnerabilities

Known vulnerabilities in the kibana package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Open Redirect when a logged-in user visits a maliciously crafted URL.

Note: The kibana package has been deprecated from NPM. Fixed versions are not supported by the ecosystem.

How to fix Open Redirect?

Upgrade kibana to version 6.8.16, 7.13.0 or higher.

<6.8.16 >=7.0.0 <7.13.0
  • M
Prototype Pollution

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Prototype Pollution. A prototype pollution flaw exists in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

How to fix Prototype Pollution?

Upgrade kibana to version 6.8.9, 7.7.0 or higher.

<6.8.9 <7.7.0
  • C
Cross-site Scripting (XSS)

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A stored XSS flaw exists in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.

How to fix Cross-site Scripting (XSS)?

Upgrade kibana to version 6.8.10, 7.7.1 or higher.

<6.8.10 >=7.7.0 <7.7.1
  • M
Arbitrary Command Execution

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Arbitrary Command Execution due to a file inclusion flaw in the Console plugin.

How to fix Arbitrary Command Execution?

Upgrade kibana to version 5.6.13, 6.4.3 or higher.

<5.3.13 >=6.4.0 <6.4.3
  • M
Cross-site Scripting (XSS)

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

How to fix Cross-site Scripting (XSS)?

Upgrade kibana to version 5.6.6, 6.1.2 or higher.

>=5.1.1 <5.6.6 >=6.0.0 <6.1.2
  • H
Denial of Service (DoS)

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When it is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process.

How to fix Denial of Service (DoS)?

Upgrade kibana to version 5.2.1 or higher.

>=5.0.0 <5.2.1
  • M
Cross-site Scripting (XSS)

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks in the Time Series Visual Builder. It could allow an attacker to obtain sensitive information from Kibana users.

How to fix Cross-site Scripting (XSS)?

Upgrade kibana to version 5.4.1 or higher.

<5.4.1
  • M
Open Redirect

kibana is Kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elastic.

Affected versions of the package are vulnerable to Open Redirect the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

How to fix Open Redirect?

Upgrade kibana to version 5.6.7, 6.1.3 or higher.

>=5.1.1 <5.6.7 >=6.0.0 <6.1.3
  • M
Cross-site Scripting (XSS)

kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elastic.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

How to fix Cross-site Scripting (XSS)?

Upgrade kibana to version 5.6.7 or higher.

>=5.1.1 <5.6.7 >=6.0.0 <6.1.3
  • M
Cross-site Scripting (XSS)

Kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS).

Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

<5.6.5 >=6 <6.0.1
  • M
Open Redirect

Kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Open Redirect.

The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

<5.6.5 >=6 <6.0.1
  • M
Open Redirect

Kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Open Redirect.

With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected.

<5.3.1
  • H
Denial of Service (DoS)

kibana is an open source, browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Denial of Service (DoS).

Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.

How to fix Denial of Service (DoS)?

Upgrade kibana to version 5.2.1 or higher.

<5.2.1
  • M
Information Exposure

Kibana is an open source, browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Information Exposure.

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.

How to fix Information Exposure?

Upgrade kibana to version 5.4.3 or higher.

<5.4.3
  • M
Cross-site Scripting (XSS)

kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks in Timelion. It could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

How to fix Cross-site Scripting (XSS)?

Upgrade kibana to version 5.6.1 or higher.

<5.6.1