Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-68386

Опубликовано: 18 дек. 2025
Источник: redhat
CVSS3: 4.3

Описание

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

A flaw was found in Kibana, where an authenticated user, through a crafted HTTP request, can exploit an Improper Authorization (CWE-285) vulnerability. This allows the user to change a document's sharing type to "global" without proper permissions. The consequence is unauthorized information disclosure, making the document visible to everyone in the space, effectively leading to a form of privilege escalation.

Отчет

This vulnerability is rated Moderate for Red Hat. An authenticated user in Kibana can exploit an improper authorization flaw to change a document's sharing type to "global" without proper permissions. This leads to unauthorized information disclosure, making the document visible to all users in the space. This affects OpenShift Container Platform via openshift-logging/kibana6-rhel8.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-863
https://bugzilla.redhat.com/show_bug.cgi?id=2423746Kibana: Kibana: Unauthorized Information Disclosure via Improper Authorization

4.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-68386

CVSS3: 4.3
nvd
4 месяца назад

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

debian логотип

CVE-2025-68386

CVSS3: 4.3
debian
4 месяца назад

Improper Authorization (CWE-285) in Kibana can lead to privilege escal ...

github логотип

GHSA-xh25-gx5f-4hqg

CVSS3: 4.3
github
4 месяца назад

Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.

fstec логотип

BDU:2026-00011

CVSS3: 4.3
fstec
4 месяца назад

Уязвимость сервиса визуализации данных Kibana, связанная с ошибками авторизации, позволяющая нарушителю повысить привилегии

4.3 Medium

CVSS3