Kibana 5.5.2, 4.6.6, and 2.4.6 plugins released

Hello, and welcome to the 5.5.2, 4.6.6 release of Kibana! We've also released the 2.4.6 versions of our reporting, graph, marvel, and shield plugins.  These releases contains some small bug fixes and important security fixes. Please see details below.

Kibana 5.5.2 is available on our downloads page and on Elastic Cloud. When you’re finished reading, take a look at the complete release notes for all the goodies.

Kibana 4.6.6 is also available on our  downloads page under "past releases" and only contains the changes for the security update.

Security Fixes

Kibana 5.5.2 and Kibana 4.6.6 security update

Kibana markdown parser Cross Site Scripting (XSS) error (ESA-2017-16)

Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions: All prior to 5.5.2 and 4.6.6

Solutions and Mitigations:

Users should upgrade to Kibana version 5.5.2 or 4.6.6.

Reporting impersonation error (ESA-2017-17)

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

Affected Versions: All prior to 5.5.2 and 2.4.6

Solutions and Mitigations:

Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.

CVE ID: CVE-2017-8446

Bug Fixes


  • [Fix for #13365] Truncate long field names in filter editor #13379


  • [Fix for #12728] Ensure conflicted fields can be searchable and/or aggregatable #13070


  • [Fix for #13255] Ensure we are working with data-series to avoid tooltip errors #13266
  • [Fix for #12724] by default metric should not define color #12993
  • [Fix for #12391] in percentage mode tooltip should also show percentages #13217
    • Tooltips now correctly display the percentage-value in area charts where the Y-Axis is formatted in percentage mode.
  • Use the customMetric's formatter for pipeline aggregations #11933
  • [Fix for] Should only fit on shapes that are part of the result #12881
    • When clicking the fit-data button in a Region Map, the map now zooms correctly to the relevant data instead of showing the entire layer.
  • [Fix for] Save layer setting in the region map UI #12956
    • The layer selection is now preserved in the UI dropdown when saving a Region Map.
  • [Fix for] Region map should respect saved center and zoom #12883
    • The location of the map is now stored correctly when saving a Region Map.
  • [Fix for #12963] Exclude stacktrace from error response of Timelion backend #12973
    • the Timelion backend no longer includes the stacktrace as part of the server response. This stacktrace is now logged to the server console.


Dev Tools

  • Respects ES customHeaders config for Console #13033
  • We're hiring

    Work for a global, distributed team where finding someone like you is just a Zoom meeting away. Flexible work with impact? Development opportunities from the start?