Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HElastic Kibana
APPElastic< 5.6.156.0.0 – 6.6.1 (bez)Red Hat OpenShift Container Platform
APPRedhat3.114.1
CISA KEV — detailsi
- Vendori
- Elastic
- Producti
- Kibana
- Added to KEVi
- January 10, 2022
- Remediation deadline (US Federal)i
- July 10, 2022(overdue)
Apply updates per vendor instructions.
Kibana contain an arbitrary code execution flaw in the Timelion visualizer.
Related vulnerabilities
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/...
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main...
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...
Samba: RCE przez command injection w 'check password script' z podstawieniem %u
Samba: command injection w podsystemie drukowania przez podstawienie %J