9.8

CVE-2018-17246

EPSS 93.28%
Published 20.12.2018 22:29:00
Last modified 21.11.2024 03:54:09
Source bressers@elastic.co
Teams watchlist Login
Open Login

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected products Warnungen 0 Metrics 3 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Elastic ≫ Kibana Version >= 5.0.0 < 5.6.13

Elastic ≫ Kibana Version >= 6.0.0 < 6.4.3

Redhat ≫ Openshift Container Platform Version3.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.28%	0.998

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://www.elastic.co/community/security

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594

Vendor Advisory

http://www.securityfocus.com/bid/106285

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHBA-2018:3743

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-17246

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-17246

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-17246

EUVD