- Description
- With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
- Source
- bressers@elastic.co
- NVD status
- Modified
CVSS 3.0
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 2.9
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:P/I:N/A:N
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elastic:kibana:5.0.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AAAFDC79-44C7-4CD4-BAF7-E4263A94D55E"
},
{
"criteria": "cpe:2.3:a:elastic:kibana:5.0.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "19498633-0929-4FA6-84AA-21D392CF9431"
}
],
"operator": "OR"
}
]
}
]