VYPR

Bitnami package

kibana

pkg:bitnami/kibana

Vulnerabilities (46)

  • CVE-2025-37734Nov 12, 2025
    affected >= 8.12.0, < 8.19.7fixed 8.19.7

    Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

  • CVE-2025-25017Oct 10, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)

  • CVE-2025-25018Oct 10, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)

  • CVE-2025-37728MedOct 7, 2025
    affected < 8.18.8fixed 8.18.8

    Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the

  • CVE-2025-25009Oct 7, 2025
    affected < 8.18.8fixed 8.18.8

    Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

  • CVE-2025-25010Aug 28, 2025
    affected >= 9.0.0, < 9.0.6fixed 9.0.6

    Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces.

  • CVE-2025-25012Jun 25, 2025
    affected >= 7.0.0, < 7.17.29fixed 7.17.29

    URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.

  • CVE-2024-43706Jun 10, 2025
    affected >= 8.12.0, < 8.12.1fixed 8.12.1

    Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

  • CVE-2025-25014May 6, 2025
    affected >= 8.3.0, < 8.17.6fixed 8.17.6

    A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.

  • CVE-2024-11390May 1, 2025
    affected >= 7.17.6, < 7.17.23fixed 7.17.23

    Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

  • CVE-2025-25016May 1, 2025
    affected >= 7.17.0, < 7.17.18fixed 7.17.18

    Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.

  • CVE-2024-12556Apr 8, 2025
    affected >= 8.16.1, < 8.17.1fixed 8.17.1

    Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

  • CVE-2024-52974Apr 8, 2025
    affected >= 7.17.0, < 7.17.23fixed 7.17.23

    An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them.

  • CVE-2025-25015Mar 5, 2025
    affected >= 8.15.0, < 8.17.3fixed 8.17.3

    Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only expl

  • CVE-2024-43708Jan 23, 2025
    affected >= 7.0.0, < 7.17.23fixed 7.17.23

    An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.

  • CVE-2024-52972Jan 23, 2025
    affected >= 7.0.0, < 7.17.23fixed 7.17.23

    An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.

  • CVE-2024-43707Jan 23, 2025
    affected >= 8.0.0, < 8.15.0fixed 8.15.0

    An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.

  • CVE-2024-43710Jan 23, 2025
    affected >= 8.7.0, < 8.15.0fixed 8.15.0

    A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. Th

  • CVE-2024-37285Nov 14, 2024
    affected >= 8.10.0, < 8.15.1fixed 8.15.1

    A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.el

  • CVE-2024-37288Sep 9, 2024
    affected >= 8.15.0, < 8.15.1fixed 8.15.1

    A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-

Page 2 of 3