Bitnami package
elk
pkg:bitnami/elk
Vulnerabilities (56)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25016 | — | >= 7.17.0, < 7.17.18 | 7.17.18 | May 1, 2025 | Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. | ||
| CVE-2024-12556 | — | >= 8.16.1, < 8.17.1 | 8.17.1 | Apr 8, 2025 | Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | ||
| CVE-2024-52974 | — | >= 7.17.0, < 7.17.23 | 7.17.23 | Apr 8, 2025 | An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. | ||
| CVE-2025-25015 | — | >= 8.15.0, < 8.17.3 | 8.17.3 | Mar 5, 2025 | Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only expl | ||
| CVE-2024-43708 | — | >= 7.0.0, < 7.17.23 | 7.17.23 | Jan 23, 2025 | An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. | ||
| CVE-2024-52972 | — | >= 7.0.0, < 7.17.23 | 7.17.23 | Jan 23, 2025 | An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. | ||
| CVE-2024-43707 | — | >= 8.0.0, < 8.15.0 | 8.15.0 | Jan 23, 2025 | An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. | ||
| CVE-2024-43710 | — | >= 8.7.0, < 8.15.0 | 8.15.0 | Jan 23, 2025 | A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. Th | ||
| CVE-2024-37285 | — | >= 8.10.0, < 8.15.1 | 8.15.1 | Nov 14, 2024 | A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.el | ||
| CVE-2024-37288 | — | >= 8.15.0, < 8.15.1 | 8.15.1 | Sep 9, 2024 | A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for- | ||
| CVE-2024-37281 | — | >= 7.0.0, < 7.17.23 | 7.17.23 | Jul 30, 2024 | An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. | ||
| CVE-2024-23443 | — | < 8.14.0 | 8.14.0 | Jun 19, 2024 | A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. | ||
| CVE-2024-23442 | — | < 7.17.22 | 7.17.22 | Jun 14, 2024 | An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. | ||
| CVE-2024-37279 | — | >= 8.6.3, < 8.14.0 | 8.14.0 | Jun 13, 2024 | A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. | ||
| CVE-2020-7017 | — | < 6.8.11 | 6.8.11 | Jul 27, 2020 | In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the reg | ||
| CVE-2020-7016 | — | < 6.8.11 | 6.8.11 | Jul 27, 2020 | Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive. |
- CVE-2025-25016May 1, 2025affected >= 7.17.0, < 7.17.18fixed 7.17.18
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
- CVE-2024-12556Apr 8, 2025affected >= 8.16.1, < 8.17.1fixed 8.17.1
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.
- CVE-2024-52974Apr 8, 2025affected >= 7.17.0, < 7.17.23fixed 7.17.23
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them.
- CVE-2025-25015Mar 5, 2025affected >= 8.15.0, < 8.17.3fixed 8.17.3
Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only expl
- CVE-2024-43708Jan 23, 2025affected >= 7.0.0, < 7.17.23fixed 7.17.23
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.
- CVE-2024-52972Jan 23, 2025affected >= 7.0.0, < 7.17.23fixed 7.17.23
An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.
- CVE-2024-43707Jan 23, 2025affected >= 8.0.0, < 8.15.0fixed 8.15.0
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
- CVE-2024-43710Jan 23, 2025affected >= 8.7.0, < 8.15.0fixed 8.15.0
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. Th
- CVE-2024-37285Nov 14, 2024affected >= 8.10.0, < 8.15.1fixed 8.15.1
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.el
- CVE-2024-37288Sep 9, 2024affected >= 8.15.0, < 8.15.1fixed 8.15.1
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-
- CVE-2024-37281Jul 30, 2024affected >= 7.0.0, < 7.17.23fixed 7.17.23
An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.
- CVE-2024-23443Jun 19, 2024affected < 8.14.0fixed 8.14.0
A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack.
- CVE-2024-23442Jun 14, 2024affected < 7.17.22fixed 7.17.22
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.
- CVE-2024-37279Jun 13, 2024affected >= 8.6.3, < 8.14.0fixed 8.14.0
A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries.
- CVE-2020-7017Jul 27, 2020affected < 6.8.11fixed 6.8.11
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the reg
- CVE-2020-7016Jul 27, 2020affected < 6.8.11fixed 6.8.11
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
Page 3 of 3