Security issues in Kibana plugin - please upgrade

jkressin · April 16, 2018, 12:11am

Hi all,

we have found two security issues in the Search Guard Kibana plugin:

SISG-9: Kibana user can impersonate as the kibanaserver user when using Single-Sign-On
SISG-8: Redirect and XSS vulnerability on the Kibana login page

More information can be found on our Security Issues page:

The issues have already been fixed for Kibana 6.x and 5.6.8. We recommend upgrading the Kibana plugin to the latest version as soon as possible!

Thanks,

Jochen and the Search Guard team

···

Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication and authorisation.

Coded with love in Berlin, Denmark, Sweden and the US.

Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.

Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

Topic		Replies	Views
Search Guard v15 and Kibana Plugin v4 release - Critical security issue fixed Search Guard	0	347	August 8, 2017
Search Guard Kibana Plugin ALPHA released Search Guard	2	386	January 30, 2017
Testers wanted! Our new Kibana multi tenancy module for ES/KI 5.2.2 has arrived as first beta! Search Guard	3	358	March 30, 2017
When xpack security is disabled, kibana with search-guard became unavailable. Search Guard	4	620	October 22, 2018
Kibana licence issue Search Guard	10	449	May 15, 2023