9.8

CVE-2018-17246

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ElasticKibana Version >= 5.0.0 < 5.6.13
ElasticKibana Version >= 6.0.0 < 6.4.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 82.25% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://www.elastic.co/community/security
Vendor Advisory
https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
Vendor Advisory
http://www.securityfocus.com/bid/106285
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHBA-2018:3743
Third Party Advisory