Main Vulnerability Database Vulnerabilities #VU95401

#VU95401 Prototype pollution in Kibana - CVE-2024-37287

Published: August 6, 2024

Vulnerability identifier: #VU95401

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-37287

CWE-ID: CWE-1321

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Kibana

Software vendor:
Elastic Stack

Description

The vulnerability allows a remote user to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote user with access to ML and Alerting connector features, as well as write access to internal ML indices, can pass specially crafted input to the application and perform prototype pollution, which can result code execution.

Remediation

Install updates from vendor's website.

External links

https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/364424

#VU95401 Prototype pollution in Kibana - CVE-2024-37287

Description

Remediation

External links

Please verify you're human