{"id":"CVE-2018-17245","details":"Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.","modified":"2026-04-11T18:45:11.994204Z","published":"2018-12-20T22:29:00.303Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594"},{"type":"ADVISORY","url":"https://www.elastic.co/community/security"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"edfd7e6e2b18a73b48d5126084e0454919f30e9f"},{"last_affected":"f898fba4809593df9a66cc3d0778f6faae2566d5"},{"introduced":"c5af7a418333df6a934b8d1a5648c675641388bd"},{"last_affected":"a07347478b7a3b1661cfb77c149fd15bdeb8921d"},{"introduced":"f8bc449f5a6b28d0597730b1cf03fefe7e33422e"},{"last_affected":"33b5de37d73763319101b4ed11a6bd44f6ea03b5"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"4.0.0"},{"last_affected":"4.6.0"},{"introduced":"5.0.0"},{"last_affected":"5.6.12"},{"introduced":"6.0.0"},{"last_affected":"6.4.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17245.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}