30 January 2018 Releases

Kibana 6.1.3 and 5.6.7 released

By Court Ewing

Kibana versions 6.1.3 and 5.6.7 have been released today. These releases of Kibana include three security fixes, and impacted folks should upgrade to one of these releases as soon as possible.

Security Issues

  • Open redirect on login page (ESA-2018-03): The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
    Affected versions: All versions before 6.1.3 and 5.6.7
    CVE ID: CVE-2018-3819

  • XSS in labs visualizations (ESA-2018-04): Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
    Affected versions: 6.1.0, 6.1.1, 6.1.2
    CVE ID: CVE-2018-3820

  • XSS in tag cloud visualization (ESA-2018-05): Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
    Affected versions: All versions after 5.1.1 and before 5.6.7 and 6.1.3
    CVE ID: CVE-2018-3821

Kibana 6.1.3 and 5.6.7 are available on our downloads page and on Elastic Cloud.