Kibana 6.8.14edit

The 6.8.14 release includes a security update and fixes one issue.

Security updateedit

Vega visualizations are susceptible to stored and reflected XSS via a vulnerable version of the Vega library. When you create Vega visualizations or create a vulnerable URL that describes the visualization, an arbitrary JavaScript can execute in your browser.

Affected versionsedit

Affected versions include 6.8.13 and earlier.


Verify if you use Vega visualizations, then complete the following:

  • If you use Vega visualizations, upgrade to 6.8.14.
  • If you do not use Vega visualizations, open your kibana.yml file, then change vega.enabled: true to vega.enabled: false.

Bug fixedit

  • Fixes an issue where a failed request in the headless browser running the screenshot capture would log an obscured error #88118