CVE-2021-22150: Kibana code execution issue
First published: Wed Nov 22 2023(Updated: )
It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | >=7.10.2<7.14.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22150?
CVE-2021-22150 is a code execution vulnerability in Kibana.
What is the severity of CVE-2021-22150?
CVE-2021-22150 has a severity value of 7.2, which is considered high.
How does CVE-2021-22150 occur?
CVE-2021-22150 occurs when a user with Fleet admin permissions uploads a malicious package using an older version of the js-yaml library.
How can an attacker exploit CVE-2021-22150?
An attacker can exploit CVE-2021-22150 by executing commands on the Kibana server through the insecure loading of the malicious package.
How can I fix CVE-2021-22150?
To fix CVE-2021-22150, update Kibana to version 7.14.1 or above to mitigate the vulnerability.
- collector/nvd-api
- agent/tags
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/author
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/7.10.2