Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN892
_____________________________________________________________________

DATE                : 22/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to 8.19.9,
                                      9.1.9, 9.2.3.

=====================================================================
https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182
https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183
https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-36/384184
https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186
https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187
_____________________________________________________________________


Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-34)
Announcements Security Announcements
ismisepaul (Paul) December 18, 2025, 9:24pm 1

Kibana Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') (ESA-2025-34)

Improper neutralization of input during web page generation
('Cross-site Scripting') (CWE-79) allows an authenticated user to
embed a malicious script in content that will be served to web browsers
causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega
bypassing a previous Vega XSS mitigation.


Affected Versions:

    7.x: All versions
    8.x: All versions from 8.0.0 up to and including 8.19.8
    9.x:
        All versions from 9.0.0 up to and including 9.1.8
        All versions from 9.2.0 up to and including 9.2.2


Solutions and Mitigations:

The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.

For Users that Cannot Upgrade:

Self-hosted

For on premise installations, you can set vis_type_vega.enabled:
false in kibana.yml file. Note that this will disable all Vega
charts in Kibana.


Cloud

For Elastic Cloud services deployments, you can set
vis_type_vega.enabled: false in kibana user settings. Note that
this will disable all Vega charts in Kibana.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the
vulnerability described in this security advisory was remediated
in our Elastic Cloud Serverless before the public disclosure.

Severity: CVSSv3.1: 7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID: CVE-2025-68385

_____________________________________________________________________


Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-35)
Announcements Security Announcements
ismisepaul (Paul) December 18, 2025, 9:25pm 1

Kibana Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') (ESA-2025-35)

Improper neutralization of input during web page generation
('Cross-site Scripting') (CWE-79) allows an unauthenticated user to
embed a malicious script in content that will be served to web browsers
causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a
function handler in the Vega AST evaluator.

Affected Versions:

    7.x: All versions
    8.x: All versions from 8.0.0 up to and including 8.19.8
    9.x:
        All versions from 9.0.0 up to and including 9.1.8
        All versions from 9.2.0 up to and including 9.2.2

Solutions and Mitigations:

The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.

For Users that Cannot Upgrade:

Self-hosted

For on premise installations, you can set vis_type_vega.enabled: false
in kibana.yml file. Note that this will disable all Vega charts in
Kibana.

Cloud

For Elastic Cloud services deployments, you can set
vis_type_vega.enabled: false in kibana user settings. Note that this
will disable all Vega charts in Kibana.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the
vulnerability described in this security advisory was remediated in
our Elastic Cloud Serverless before the public disclosure.

Severity: CVSSv3.1: 6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID: CVE-2025-68387

_____________________________________________________________________


Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36)
Announcements Security Announcements
ismisepaul (Paul) December 18, 2025, 9:26pm 1

Kibana Allocation of Resources Without Limits or Throttling (ESA-2025-36)

Allocation of Resources Without Limits or Throttling (CWE-770) in
Kibana can allow a low-privileged authenticated user to cause Excessive
Allocation (CAPEC-130) of computing resources and a denial of service
(DoS) of the Kibana process via a crafted HTTP request.

Affected Versions:

    7.x: All versions
    8.x: All versions from 8.0.0 up to and including 8.19.8
    9.x:
        All versions from 9.0.0 up to and including 9.1.8
        All versions from 9.2.0 up to and including 9.2.2

Solutions and Mitigations:

The issue is resolved in version 8.19.9, 9.1.9, and 9.2.3.

Severity: CVSSv3.1: 6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2025-68389

_____________________________________________________________________


Kibana 8.19.8, 9.1.8, and 9.2.2 Security Update (ESA-2025-38)
Announcements Security Announcements
ismisepaul (Paul) December 18, 2025, 9:28pm 1

Kibana Improper Authorization (ESA-2025-38)

Improper Authorization (CWE-285) in Kibana can lead to privilege
escalation (CAPEC-233) by allowing an authenticated user to change a
document's sharing type to "global," even though they do not have
permission to do so, making it visible to everyone in the space via
a crafted a HTTP request.

Affected Versions:

    7.x: All versions
    8.x: All versions from 8.0.0 up to and including 8.19.7
    9.x:
        All versions from 9.0.0 up to and including 9.1.7
        All versions from 9.2.0 up to and including 9.2.1

Solutions and Mitigations:

The issue is resolved in version 8.19.8, 9.1.8, and 9.2.2.

Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID: CVE-2025-68386

_____________________________________________________________________


Kibana 8.19.7, 9.1.7, and 9.2.1 Security Update (ESA-2025-39)
Announcements Security Announcements
ismisepaul (Paul) December 18, 2025, 9:28pm 1

Kibana Improper Authorization (ESA-2025-39)

Improper Authorization (CWE-285) in Kibana can lead to privilege
escalation (CAPEC-233) by allowing an authenticated user to bypass
intended permission restrictions via a crafted HTTP request. This
allows an attacker who lacks the 'live queries - read' permission to
successfully retrieve the list of live queries.

Affected Versions:

    7.x: All versions
    8.x: All versions from 8.0.0 up to and including 8.19.6
    9.x:
        All versions from 9.0.0 up to and including 9.1.6
        Version 9.2.0

Solutions and Mitigations:

The issue is resolved in version 8.19.7, 9.1.7, and 9.2.1.

Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2025-68422

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================