1533357 – (CVE-2017-8443) CVE-2017-8443 kibana: Crafted URLs can be used to trick users into disclosing their password

Bug 1533357 (CVE-2017-8443) - CVE-2017-8443 kibana: Crafted URLs can be used to trick users into disclosing their password

Summary: CVE-2017-8443 kibana: Crafted URLs can be used to trick users into disclosing...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-8443
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-11 07:13 UTC by Sam Fowler
Modified:	2019-09-29 14:29 UTC (History)
CC List:	21 users (show)
Fixed In Version:	kibana 5.4.3
Clone Of:
Environment:
Last Closed:	2018-01-11 07:30:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-01-11 07:13:57 UTC

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-8443
https://discuss.elastic.co/t/elastic-stack-5-4-3-security-update/91006

Note You need to log in before you can comment on or make changes to this bug.

apevec
bleanhar
ccoleman
chrisw
dedgar
dmcphers
jgoulding
jjoyce
jkeck
jschluet
kbasil
kseifried
lhh
lpeer
markmc
mburns
mmagr
rbryant
sclewis
slinaber
tdecacqu