PT-2018-13966 · Elastic · Kibana

Nethanel Coppenhagen

Published

2018-12-20

Updated

2025-07-18

CVE-2018-17246

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kibana versions prior to 6.4.3 Kibana versions prior to 5.6.13

Description The issue is related to an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request to execute javascript code, potentially leading to the execution of arbitrary commands with the permissions of the Kibana process on the host system.

Recommendations For versions prior to 6.4.3, update to version 6.4.3 or later. For versions prior to 5.6.13, update to version 5.6.13 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829CWE-73

Related Identifiers

CVE-2018-17246

Affected Products

Kibana

PT-2018-13966 · Elastic · Kibana

CVE-2018-17246

Weakness Enumeration

Related Identifiers

Affected Products

References · 7