Bug 1535284 – CVE-2018-3818 kibana: Cross-site scripting (XSS) vulnerability via colored fields formatter

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1535284 - (CVE-2018-3818) CVE-2018-3818 kibana: Cross-site scripting (XSS) vulnerability via colored fields formatter

Summary:	CVE-2018-3818 kibana: Cross-site scripting (XSS) vulnerability via colored fi...

Status:	NEW

Aliases:	CVE-2018-3818

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180116,repor...
Keywords:	Security

Depends On:	1566714
Blocks:	1535285
	Show dependency tree / graph

Reported:	2018-01-16 22:33 EST by Sam Fowler
Modified:	2018-06-29 18:31 EDT (History)
CC List:	23 users (show)

See Also:
Fixed In Version:	kibana 5.6.6, kibana 6.1.2
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-01-16 22:33:06 EST

Kibana versions 5.1.1 to before 6.1.2 and 5.6.6 have a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

References:
https://www.elastic.co/guide/en/kibana/5.6/release-notes-5.6.6.html
https://www.elastic.co/guide/en/kibana/6.1/release-notes-6.1.2.html
https://github.com/elastic/kibana/pull/15837

Comment 1 Joshua Padman 2018-01-17 06:14:00 EST

The affected code does not exist within the version of Kibana in OpenStack.

Comment 4 Andrej Nemec 2018-05-14 08:29:02 EDT

Statement:

This issue affects the versions of kibana as shipped with Red Hat OpenShift Enterprise Linux. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.

ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
dmcphers
jgoulding
jjoyce
jkeck
jokerman
jschluet
kbasil
lhh
lpeer
markmc
mburns
mchappel
mmagr
rbryant
sclewis
slinaber
tdecacqu