CVE-2023-31415

2023-05-0421:15:11

Google

osv.dev

kibana

arbitrary code execution

uptime/synthetics

javascript

host system

permissions

cve-2023-31415

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.4%

JSON

Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.

CPENameOperatorVersion
elasticsearcheq0.5.1
elasticsearcheq1.0.0.RC1
elasticsearcheq0.90.0.Beta1
elasticsearcheq5.0.0-alpha1
elasticsearcheq0.12.0
elasticsearcheq7.0.0-alpha1
elasticsearcheq5.0.0-alpha2
elasticsearcheq0.5.0
elasticsearcheq8.0.0-alpha2
elasticsearcheq0.17.0

Name	Operator	Version
elasticsearch	eq	0.5.1
elasticsearch	eq	1.0.0.RC1
elasticsearch	eq	0.90.0.Beta1
elasticsearch	eq	5.0.0-alpha1
elasticsearch	eq	0.12.0
elasticsearch	eq	7.0.0-alpha1
elasticsearch	eq	5.0.0-alpha2
elasticsearch	eq	0.5.0
elasticsearch	eq	8.0.0-alpha2
elasticsearch	eq	0.17.0