CVE-2021-22150

2023-11-2201:15:07

CWE-94

[email protected]

web.nvd.nist.gov

cve-2021-22150

fleet admin permissions

malicious package

js-yaml library

kibana server

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.

Affected configurations

NVD

Node

elastickibanaRange7.10.2–7.14.1

CPENameOperatorVersion
elastic:kibanaelastic kibanalt7.14.1

CPE	Name	Operator	Version
elastic:kibana	elastic kibana	lt	7.14.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "7.14.0",
        "status": "affected",
        "version": "7.10.2",
        "versionType": "semver"
      }
    ]
  }
]