Bug 1647346 (CVE-2018-17245) - CVE-2018-17245 kibana: Information leak in the PDF generation process
Summary: CVE-2018-17245 kibana: Information leak in the PDF generation process
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-17245
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1647349
TreeView+ depends on / blocked
 
Reported: 2018-11-07 09:15 UTC by Andrej Nemec
Modified: 2019-09-29 15:02 UTC (History)
22 users (show)

Fixed In Version: kibana 6.4.3, kibana 5.6.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-09 03:36:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2018-11-07 09:15:36 UTC 
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

References:

https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability
https://www.elastic.co/community/security
Comment 1 Joshua Padman 2018-11-08 03:43:01 UTC 
The PDF report generation is part of x-pack. Prior to version 6.3 x-pack was not a default part of the opensource project and not included in the packages provided by Red Hat.
Comment 2 Paul Harvey 2018-11-09 00:09:28 UTC 
openshift-enterprise-3.x: as stated in comment 1, no release of OCP so far includes a version of kibana which includes x-pack
Note You need to log in before you can comment on or make changes to this bug.