Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN802
_____________________________________________________________________

DATE                : 14/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior
                           to 8.19.7, 9.1.7, 9.2.1.

=====================================================================
https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381
https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-9-2-1-security-update-esa-2025-25/383379
_____________________________________________________________________


Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-24)
Announcements Security Announcements
ismisepaul (Paul) November 12, 2025, 9:41am 1

Kibana Origin Validation Error (ESA-2025-24)

Origin Validation Error in Kibana can lead to Server-Side Request
Forgery via a forged Origin HTTP header processed by the
Observability AI Assistant.


Affected Versions:

    8.12.0 up to and including 8.19.6
    9.1.0 up to and including 9.1.6
    9.2.0


Affected Configurations:

Deployments using the Observability AI Assistant.

Solutions and Mitigations:

Users should upgrade to version 8.19.7, 9.1.7, and 9.2.1.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability
described in this security advisory was remediated in our Elastic
Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE ID: CVE-2025-37734

_____________________________________________________________________


Kibana 8.19.7, 9.1.7, 9.2.1 Security Update (ESA-2025-25)
Announcements Security Announcements
ikakavas (Ioannis Kakavas) November 12, 2025, 9:33am 1

Kibana Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') (ESA-2025-25)

Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') in Kibana can lead to DOM-based XSS due to
the use of Vega. The issue on Vega is tracked as CVE-2025-59840


Affected Versions:

All kibana versions before and including 8.19.6

All kibana versions from 9.0.0 up to and including 9.1.6

Kibana version 9.2.0


Affected Configurations:

All Kibana instances where Vega Visualizations are enabled
( default behavior ).


Solutions and Mitigations:

Users should upgrade to version 8.19.7, 9.1.7, 9.2.1.

For Users that Cannot Upgrade:

Self-hosted

For on premise installations, you can set vis_type_vega.enabled:
false in kibana.yml file. Note that this will disable all Vega
charts in Kibana.

Cloud

For Elastic Cloud services deployments, you can set
vis_type_vega.enabled: false in kibana user settings. Note that
this will disable all Vega charts in Kibana.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the
vulnerability described in this security advisory was remediated
in our Elastic Cloud Serverless before the public disclosure.

Severity: CVSSv3.1: 8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CVE ID: CVE-2025-59840


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================