EIQ-2018-0009#

ID

EIQ-2018-0009

CVE

CVE-2018-17246

Description

Arbitrary file inclusion flaw in the Kibana Console plugin

Date

-

Severity

4 - CRITICAL

CVSS score

9.8

Status

✅ 2.3.4

Assessment

Kibana versions earlier than 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin.

An attacker with access to the Kibana Console API can send a request that will attempt to execute JavaScript code.

This could possibly lead to an attacker executing arbitrary commands with Kibana process permissions on the host system.

Mitigation

Upgrade the ELK stack to 5.6.14.

Affected versions

2.3.3 and earlier.

Notes

The bug prints the return to the Kibana logs only, which makes it difficult to exploit.

If a user could upload a JavaScript file to the server, it would increase the impact up to the level indicated by the CVSS base score.

The platform stores most files in the PostgreSQL database, and temporary files are separated from the Kibana user with permissions.

We have not found an execution path on platform installations that follow our build guidelines.