First published: Thu Dec 20 2018(Updated: )
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Credit: bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Kibana | >=5.0.0<5.6.13 | |
Elastic Kibana | >=6.0.0<6.4.3 | |
Redhat Openshift Container Platform | =3.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2018-17246.
The severity rating of CVE-2018-17246 is critical with a score of 9.8.
Kibana versions before 6.4.3 and 5.6.13 are affected by CVE-2018-17246.
An attacker with access to the Kibana Console API could execute arbitrary commands with permissions.
You can find more information about CVE-2018-17246 at the following references: [SecurityFocus](http://www.securityfocus.com/bid/106285), [Red Hat Security Advisory](https://access.redhat.com/errata/RHBA-2018:3743), [Elastic discussion forum](https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594).