1632450 – (CVE-2018-3830) CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Bug 1632450 (CVE-2018-3830) - CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Summary: CVE-2018-3830 kibana: Cross-site scripting via the source field formatter

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-3830
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1638602
Blocks:	1632451
TreeView+	depends on / blocked

Reported:	2018-09-24 20:16 UTC by Pedro Sampaio
Modified:	2021-12-10 17:38 UTC (History)
CC List:	22 users (show)
Fixed In Version:	kibana-5.6.12, kibana-6.4.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:38:30 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3537	0	None	None	None	2018-12-03 17:28:18 UTC

Description Pedro Sampaio 2018-09-24 20:16:28 UTC

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

References:

https://www.elastic.co/community/security
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Comment 1 Joshua Padman 2018-09-25 11:30:54 UTC

The version included in Red Hat OpenStack 8 & 9, and released as a technical preview, does not contain the vulnerable code. The functionality is not available in kibana-3.1.2, there was a significant rewrite after this time.

Comment 3 Jason Shepherd 2018-10-12 03:22:36 UTC

Upstream commits:

6.4: https://github.com/elastic/kibana/commit/45e4791efd405b2691c4008d6c3a050e0e7bbdcc#diff-efac77c548187c0b16fe1e531c8210ae
5.6: https://github.com/elastic/kibana/commit/a07347478b7a3b1661cfb77c149fd15bdeb8921d#diff-3ff6e2858b8906e63dd44b7ac317f199

Comment 4 errata-xmlrpc 2018-12-03 17:28:11 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2018:3537 https://access.redhat.com/errata/RHSA-2018:3537

Note You need to log in before you can comment on or make changes to this bug.

ahardin
apevec
bleanhar
ccoleman
chrisw
dedgar
eparis
jgoulding
jjoyce
jokerman
jschluet
kbasil
lhh
lpeer
markmc
mburns
mchappel
mmagr
rbryant
sclewis
slinaber
tdecacqu