Kibana code execution issue
CVE-2021-22150

6.6MEDIUM

Key Information:

Vendor
Elastic
Status
Kibana
Vendor
CVE Published:
22 November 2023

Summary

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.

Affected Version(s)

Kibana 7.10.2 < 7.14.0

References

https://discuss.elastic.co/t/elastic-stack-7-14-1-securit...
https://www.elastic.co/community/security

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.