CVE-2021-22151 Kibana path traversal issue

2023-11-2200:36:51

CWE-22

elastic

www.cve.org

kibana

path traversal

vulnerability

.pbf files

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "7.14.0",
        "status": "affected",
        "version": "7.9.0",
        "versionType": "semver"
      }
    ]
  }
]