CVE-2024-37287

A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

History

22 Aug 2024, 13:33

Type Values Removed Values Added
Summary
  • (es) Se descubrió en Kibana una falla que permitía la ejecución de código arbitrario. Un atacante con acceso a funciones de ML y conector de alertas, así como acceso de escritura a índices internos de ML, puede desencadenar una vulnerabilidad de contaminación de prototipo, lo que en última instancia conduce a la ejecución de código arbitrario.
References () https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/ - () https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/ - Vendor Advisory
CPE cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 9.1
v2 : unknown
v3 : 7.2
First Time Elastic
Elastic kibana
CWE CWE-1321

13 Aug 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-13 12:15

Updated : 2024-08-22 13:33


NVD link : CVE-2024-37287

Mitre link : CVE-2024-37287

CVE.ORG link : CVE-2024-37287


JSON object : View

Products Affected

elastic

  • kibana
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-94

Improper Control of Generation of Code ('Code Injection')