Prototype pollution in Kibana



Published: 2024-08-06
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-37287
CWE-ID CWE-1321
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Kibana
Web applications / Other software

Vendor Elastic Stack

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Prototype pollution

EUVDB-ID: #VU95401

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-37287

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote user with access to ML and Alerting connector features, as well as write access to internal ML indices, can pass specially crafted input to the application and perform prototype pollution, which can result code execution.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Kibana: 7.0.0 - 8.14.2

External links

http://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/364424


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###