A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

According to its self-reported version number, the Kibana application running on the remote host is 7.x prior to 7.17.23 or 8.x prior to 8.14.2. It is, therefore, affected by Multiples Vulnerabilities.

- An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. - An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Kibana installed on the remote host is prior to 7.17.23 or 8.14.2. It is, therefore, affected by a vulnerability as referenced in the ESA-2024-22 advisory.

  - A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and     Alerting connector features, as well as write access to internal ML indices can trigger a prototype     pollution vulnerability, ultimately leading to arbitrary code execution. (CVE-2024-37287)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114635	Kibana 8.x < 8.14.2 Multiples Vulnerabilities	Web App Scanning	Component Vulnerability	high
114634	Kibana 7.x < 7.17.23 Multiples Vulnerabilities	Web App Scanning	Component Vulnerability	high
205597	Kibana 7.7.x < 7.17.23 / 8.0.x < 8.14.2 (ESA-2024-22)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2024-37287

high

Tenable Plugins

high

high

high