Prototype Pollution Vulnerability in Kibana Allows Arbitrary Code Execution
CVE-2024-37287

7.2HIGH

Key Information:

Vendor

Elastic
Status
Kibana
Vendor
CVE Published:
13 August 2024

Badges

📈 Score: 235👾 Exploit Exists📰 News Worthy

What is CVE-2024-37287?

CVE-2024-37287 is a serious vulnerability affecting Kibana, a data visualization and exploration tool commonly used in conjunction with the Elasticsearch search and analytics engine. This flaw allows for arbitrary code execution due to a prototype pollution vulnerability introduced when attackers exploit specific features related to machine learning and alerting connectors, particularly when they possess write access to internal machine learning indices. The presence of this vulnerability poses a significant threat to organizations relying on Kibana for data analysis and monitoring, as successful exploitation could lead to severe disruptions and unauthorized control over critical systems.

Technical Details

The vulnerability centers on improper handling within Kibana's machine learning capabilities, where an attacker can manipulate existing objects or create new ones in unexpected ways. By leveraging access to the ML and alerting connector features, an attacker with sufficient privileges can trigger this prototype pollution, leading to arbitrary code execution. This could enable malicious actors to not only compromise the integrity of the application but potentially gain access to sensitive data and system functions.

Potential Impact of CVE-2024-37287

  1. Arbitrary Code Execution: The most significant impact is the potential for arbitrary code execution, allowing attackers to execute malicious scripts or commands on the server. This compromise can lead to further infiltration of an organization's IT infrastructure.

  2. Data Breach Risks: Exploiting this vulnerability may facilitate unauthorized access to sensitive data stored in Kibana or Elasticsearch, resulting in data leaks and compliance breaches that could have legal and financial ramifications.

  3. Service Disruption: The ability to gain control over Kibana can result in disruptions of data services, impacting operational efficiency. If attackers take control of the platform, it may lead to significant downtime and loss of service integrity, affecting business continuity.

Affected Version(s)

Kibana 7.7.0, 8.0.0 < 7.17.23, 8.14.2

News Articles

favicon imageQualys

Elasticsearch Kibana Arbitrary Code Execution Vulnerability (CVE-2024-37287) – Qualys ThreatPROTECT

Skip to content Kibana, a data visualization tool, released a patch to address a critical severity flaw that may allow an attacker to perform arbitrary code execution on target systems. Tracked as...

favicon imageCybersecurityNews

Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code

A critical security flaw has been identified in Kibana, a popular open-source data visualization and exploration tool.

References

https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-securi...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability Reserved

.
CVE-2024-37287 : Prototype Pollution Vulnerability in Kibana Allows Arbitrary Code Execution