PT-2024-5372 · Elastic · Kibana
Published
2024-08-06
·
Updated
2024-09-10
·
CVE-2024-37287
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kibana versions prior to 8.14.2
Kibana versions prior to 7.17.23
Description
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. At the time of writing, Censys observes 5,183 exposed devices online.
Recommendations
For versions prior to 8.14.2, upgrade to version 8.14.2.
For versions prior to 7.17.23, upgrade to version 7.17.23.
Fix
Prototype Pollution
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kibana