Prototype pollution in Kibana - CVE-2024-37287

 

Prototype pollution in Kibana - CVE-2024-37287

Published: August 6, 2024


Vulnerability identifier: #VU95401
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-37287
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Elastic Stack
Affected software:
Kibana

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote user with access to ML and Alerting connector features, as well as write access to internal ML indices, can pass specially crafted input to the application and perform prototype pollution, which can result code execution.


How to mitigate CVE-2024-37287

Install updates from vendor's website.

Sources