CVE-2018-17245
First published: Thu Dec 20 2018(Updated: )
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | >=4.0.0<=4.6.0 | |
| Elastic Kibana | >=5.0.0<=5.6.12 | |
| Elastic Kibana | >=6.0.0<=6.4.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-17245?
CVE-2018-17245 is a vulnerability found in Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 that allows plaintext credentials to be included in HTTP requests when generating PDF reports.
How severe is CVE-2018-17245?
CVE-2018-17245 has a severity score of 9.8, which is considered critical.
Which software versions are affected by CVE-2018-17245?
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 are affected by CVE-2018-17245.
How can I fix CVE-2018-17245?
To fix CVE-2018-17245, it is recommended to upgrade Kibana to a version that is not affected (6.4.3 or 5.6.13) or apply the security update provided by Elastic.
What is the Common Weakness Enumeration (CWE) for CVE-2018-17245?
CVE-2018-17245 is associated with CWE-522 (Insufficiently Protected Credentials) and CWE-201 (Information Exposure).
- collector/nvd-index
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/4.0.0
- version/elastic kibana/4.6.0
- version/elastic kibana/5.0.0
- version/elastic kibana/5.6.12
- version/elastic kibana/6.0.0
- version/elastic kibana/6.4.2