Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN572
_____________________________________________________________________

DATE                : 03/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to
                                 9.0.6, 9.1.3.

=====================================================================
https://discuss.elastic.co/t/kibana-9-0-6-9-1-3-security-update-esa-2025-13/381426
_____________________________________________________________________

Kibana 9.0.6, 9.1.3 Security Update (ESA-2025-13)
Announcements Security Announcements
ismisepaul (Paul) August 28, 2025, 3:35pm 1

Kibana privilege escalation via reporting_user role (ESA-2025-13)

Incorrect authorization in Kibana can lead to privilege escalation
via the built-in reporting_user role which incorrectly has the
ability to access all Kibana Spaces.


Affected Versions:

Kibana versions 9.0.0 up to and including 9.0.5; and versions 9.1.0
up to and including 9.1.2


Affected Configurations:

This issue affects deployments which assign the built-in
reporting_user role to end users. This role is not assigned to users
by default.

The reporting_user role in affected versions incorrectly grants
users the ability to access all Kibana Spaces, with the following
privileges:

    Read access to Discover, including the ability to generate
reports.

    Read access to Dashboards, including the ability to generate
reports.

    Read access to the Visualization Library, including the ability
to generate reports.

    Read access to Canvas, including the ability to generate
reports.

The reporting_user role in versions prior to 9.0 did not grant
access to any Kibana Spaces; it only granted reporting
functionality within the Spaces users were already authorized
to access.

Important: This vulnerability does not violate configured index
privileges. Users with the reporting_user role assigned will not
have access to any additional user documents or indices. They
will be able to access the aforementioned Kibana assets, but not
the data within, unless their existing index privileges would
otherwise grant access.


Solutions and Mitigations:

The issue is resolved in version 9.0.6 and 9.1.3.

Any API Keys created by users with the reporting_user role in
the affected versions will continue to have elevated privileges.
Ensure these API Keys are invalidated to prevent unauthorized
access to additional Spaces.

For Users that Cannot Upgrade:

Administrators should revoke the reporting_user role from their
end users, and instead grant access to reporting functionality
via custom roles which grant the appropriate access to reporting.

Severity: CVSSv3.1: 6.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID: CVE-2025-25010

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================