A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.
References
Link | Resource |
---|---|
https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
22 Aug 2024, 13:33
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/ - Vendor Advisory | |
CPE | cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
First Time |
Elastic
Elastic kibana |
|
CWE | CWE-1321 |
13 Aug 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-13 12:15
Updated : 2024-08-22 13:33
NVD link : CVE-2024-37287
Mitre link : CVE-2024-37287
CVE.ORG link : CVE-2024-37287
JSON object : View
Products Affected
elastic
- kibana