Note:
This project will be discontinued after December 13, 2021. [more]
2019-07-30
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Products | Kibana |
Type | Server-Side Request Forgery (SSRF) (CWE-918) |
First patch | - None (likely due to unavailable code) |
Links | https://www.elastic.co/community/security/ |