Description

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Remediation

References

http://www.securityfocus.com/bid/106285

https://access.redhat.com/errata/RHBA-2018:3743

https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2016-0762 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2020-7625 Vulnerability in npm package op-browser

CVE-2018-6464 Vulnerability in maven package org.webjars.bower:simditor

CVE-2016-10565 Vulnerability in npm package operadriver

CVE-2020-28282 Vulnerability in maven package org.webjars.npm:getobject

Severity

Critical

Classification

CWE-829 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Vendor Advisory