Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-17245 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat OpenStack Platform Operational Tools 9 | kibana | Not affected |
Red Hat OpenShift Enterprise 3.2 | kibana | Not affected |
Red Hat OpenShift Enterprise 3.1 | kibana | Not affected |
Red Hat OpenShift Enterprise 3.0 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.9 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.7 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.6 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.5 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.4 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.3 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.11 | kibana | Not affected |
Red Hat OpenShift Container Platform 3.10 | kibana | Not affected |
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 | kibana | Not affected |