Note:
This project will be discontinued after December 13, 2021. [more]
2019-03-25
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
| Products | Kibana |
| Type | Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77) |
| First patch | - None (likely due to unavailable code) |
| Links |
• https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
• https://www.elastic.co/community/security |