Lucene search

ElasticCVE-2024-37287

HistoryAug 13, 2024 - 12:15 p.m.

CVE-2024-37287

2024-08-1312:15:06

CWE-1321

CWE-94

elastic

web.nvd.nist.gov

kibana

arbitrary code execution

prototype pollution

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

18.9%

JSON

A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

Affected configurations

Nvd

Node

elastickibanaRange7.7.0–7.17.23

elastickibanaRange8.0.0–8.14.2

VendorProductVersionCPE
elastickibana*cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
elastic	kibana	*	cpe:2.3:a:elastic:kibana::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "repo": "https://github.com/elastic/kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "7.17.23, 8.14.2",
        "status": "affected",
        "version": "7.7.0, 8.0.0",
        "versionType": "semver"
      }
    ]
  }
]

References

discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

18.9%

JSON

Related for CVE-2024-37287