Vulnerability-Lookup

WID-SEC-W-2025-2576

Vulnerability from csaf_certbund - Published: 2025-11-11 23:00 - Updated: 2025-11-13 23:00

Summary

Kibana: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Kibana ist ein Open Source Datenvisualisierungs-Plugin für Elasticsearch.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Kibana ausnutzen, um Dateien zu manipulieren, und um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Kibana ist ein Open Source Datenvisualisierungs-Plugin f\u00fcr Elasticsearch.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Kibana ausnutzen, um Dateien zu manipulieren, und um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2576 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2576.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2576 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2576"
      },
      {
        "category": "external",
        "summary": "Kibana Security Update vom 2025-11-11",
        "url": "https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-9-2-1-security-update-esa-2025-25/383379"
      },
      {
        "category": "external",
        "summary": "Kibana Security Update vom 2025-11-11",
        "url": "https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381"
      }
    ],
    "source_lang": "en-US",
    "title": "Kibana: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-11-13T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-14T08:02:24.829+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-2576",
      "initial_release_date": "2025-11-11T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-11-11T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-11-12T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-124976"
        },
        {
          "date": "2025-11-13T23:00:00.000+00:00",
          "number": "3",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-175359"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.2.1",
                "product": {
                  "name": "Open Source Kibana \u003c9.2.1",
                  "product_id": "T048537"
                }
              },
              {
                "category": "product_version",
                "name": "9.2.1",
                "product": {
                  "name": "Open Source Kibana 9.2.1",
                  "product_id": "T048537-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:kibana:9.2.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.1.7",
                "product": {
                  "name": "Open Source Kibana \u003c9.1.7",
                  "product_id": "T048538"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.7",
                "product": {
                  "name": "Open Source Kibana 9.1.7",
                  "product_id": "T048538-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:kibana:9.1.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.19.7",
                "product": {
                  "name": "Open Source Kibana \u003c8.19.7",
                  "product_id": "T048539"
                }
              },
              {
                "category": "product_version",
                "name": "8.19.7",
                "product": {
                  "name": "Open Source Kibana 8.19.7",
                  "product_id": "T048539-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:elasticsearch:kibana:8.19.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Kibana"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-37734",
      "product_status": {
        "known_affected": [
          "T048539",
          "T048538",
          "T048537"
        ]
      },
      "release_date": "2025-11-11T23:00:00.000+00:00",
      "title": "CVE-2025-37734"
    },
    {
      "cve": "CVE-2025-59840",
      "product_status": {
        "known_affected": [
          "T048539",
          "T048538",
          "T048537"
        ]
      },
      "release_date": "2025-11-11T23:00:00.000+00:00",
      "title": "CVE-2025-59840"
    }
  ]
}

CVE-2025-59840 (GCVE-0-2025-59840)

Vulnerability from cvelistv5 – Published: 2025-11-13 19:54 – Updated: 2025-11-14 16:00

Title

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable

Summary

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/vega/vega/security/advisories/…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	vega	vega	Affected: vega < 6.2.0 Affected: vega-expression >= 6.0.0, < 6.1.0 Affected: vega-expression < 5.2.1 Affected: vega-interpreter >= 2.0.0, < 2.2.1 Affected: vega-interpreter < 1.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59840",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-14T15:59:50.261188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-14T16:00:05.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vega",
          "vendor": "vega",
          "versions": [
            {
              "status": "affected",
              "version": "vega \u003c 6.2.0"
            },
            {
              "status": "affected",
              "version": "vega-expression \u003e= 6.0.0, \u003c 6.1.0"
            },
            {
              "status": "affected",
              "version": "vega-expression \u003c 5.2.1"
            },
            {
              "status": "affected",
              "version": "vega-interpreter \u003e= 2.0.0, \u003c 2.2.1"
            },
            {
              "status": "affected",
              "version": "vega-interpreter \u003c 1.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if \"safe mode\" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter`  `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-13T19:54:26.256Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf"
        }
      ],
      "source": {
        "advisory": "GHSA-7f2v-3qq3-vvjf",
        "discovery": "UNKNOWN"
      },
      "title": "Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59840",
    "datePublished": "2025-11-13T19:54:26.256Z",
    "dateReserved": "2025-09-22T14:34:03.471Z",
    "dateUpdated": "2025-11-14T16:00:05.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37734 (GCVE-0-2025-37734)

Vulnerability from cvelistv5 – Published: 2025-11-12 09:57 – Updated: 2025-11-12 14:16

Title

Kibana Origin Validation Error

Summary

Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-346 - Origin Validation Error

Assigner

elastic

References

URL

Tags

https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-…

Impacted products

	Vendor	Product	Version
	Elastic	Kibana	Affected: 8.12.0 , ≤ 8.19.6 (semver) Affected: 9.1.0 , ≤ 9.1.6 (semver) Affected: 9.2.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-37734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-12T14:16:20.420596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-12T14:16:35.035Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kibana",
          "repo": "https://github.com/kibana",
          "vendor": "Elastic",
          "versions": [
            {
              "lessThanOrEqual": "8.19.6",
              "status": "affected",
              "version": "8.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.1.6",
              "status": "affected",
              "version": "9.1.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "9.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant."
            }
          ],
          "value": "Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-664 Server Side Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346 Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-12T09:57:22.782Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "url": "https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Kibana Origin Validation Error",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2025-37734",
    "datePublished": "2025-11-12T09:57:22.782Z",
    "dateReserved": "2025-04-16T03:24:04.511Z",
    "dateUpdated": "2025-11-12T14:16:35.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-2576

CVE-2025-59840 (GCVE-0-2025-59840)

CVE-2025-37734 (GCVE-0-2025-37734)

Tags

Sightings

Nomenclature