Description

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Remediation

References

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2022-42127 Vulnerability in maven package com.liferay:com.liferay.friendly.url.web

CVE-2012-2379 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2016-8747 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2022-34807 Vulnerability in maven package org.jenkins-ci.plugins:elasticsearch-query

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring2

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory