9.8

CVE-2018-17246

EPSS 93.78%
Veröffentlicht 20.12.2018 22:29:00
Zuletzt bearbeitet 21.11.2024 03:54:09
Quelle bressers@elastic.co
CVE-Watchlists
Login
Unerledigt
Login

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Elastic ≫ Kibana Version >= 5.0.0 < 5.6.13

Elastic ≫ Kibana Version >= 6.0.0 < 6.4.3

Redhat ≫ Openshift Container Platform Version3.11

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.78%	0.998

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://www.elastic.co/community/security

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

Vendor Advisory

http://www.securityfocus.com/bid/106285

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHBA-2018:3743

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-17246

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-17246

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-17246

EUVD