Description

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Remediation

References

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2023-31418 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2020-2218 Vulnerability in maven package org.jenkins-ci.plugins:hp-quality-center

CVE-2019-19466 Vulnerability in npm package sceditor

CVE-2021-21633 Vulnerability in maven package org.jenkins-ci.plugins:dependency-track

CVE-2022-34198 Vulnerability in maven package org.jenkins-ci.plugins:stashbranchparameter

Severity

Critical

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory