Description

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Remediation

References

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2010-2245 Vulnerability in maven package org.apache.wink:wink-assembly-aggregatejar-osgi

CVE-2019-10475 Vulnerability in maven package org.jenkins-ci.plugins:build-metrics

CVE-2019-1003010 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2014-0112 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2023-26472 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-ui

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory