Description
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Remediation
References
https://www.elastic.co/community/security/
Related Vulnerabilities
CVE-2023-35887 Vulnerability in maven package org.apache.sshd:sshd-sftp
CVE-2022-34197 Vulnerability in maven package org.jenkins-ci.plugins:sauce-ondemand
CVE-2020-14340 Vulnerability in maven package org.jboss.xnio:xnio-nio
CVE-2020-13943 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2022-36099 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki