Bug 1632450 – CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1632450 - (CVE-2018-3830) CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Summary:	CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Status:	NEW

Aliases:	CVE-2018-3830

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180918,repor...
Keywords:	Security

Depends On:	1638602
Blocks:	1632451
	Show dependency tree / graph

Reported:	2018-09-24 16:16 EDT by Pedro Sampaio
Modified:	2018-10-11 23:26 EDT (History)
CC List:	22 users (show)

See Also:
Fixed In Version:	kibana-5.6.12, kibana-6.4.1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-24 16:16:28 EDT

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

References:

https://www.elastic.co/community/security
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Comment 1 Joshua Padman 2018-09-25 07:30:54 EDT

The version included in Red Hat OpenStack 8 & 9, and released as a technical preview, does not contain the vulnerable code. The functionality is not available in kibana-3.1.2, there was a significant rewrite after this time.

Comment 3 Jason Shepherd 2018-10-11 23:22:36 EDT

Upstream commits:

6.4: https://github.com/elastic/kibana/commit/45e4791efd405b2691c4008d6c3a050e0e7bbdcc#diff-efac77c548187c0b16fe1e531c8210ae
5.6: https://github.com/elastic/kibana/commit/a07347478b7a3b1661cfb77c149fd15bdeb8921d#diff-3ff6e2858b8906e63dd44b7ac317f199

Note You need to log in before you can comment on or make changes to this bug.

ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
eparis
jgoulding
jjoyce
jokerman
jschluet
kbasil
lhh
lpeer
markmc
mburns
mchappel
mmagr
rbryant
sclewis
slinaber
tdecacqu