Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-37287

A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

Published

2024-08-13T12:15:06.433

Last Modified

2024-08-22T13:33:12.477

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

Weaknesses

Type: Secondary
CWE-94
Type: Primary
CWE-1321

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	kibana	< 7.17.23	Yes
Application	elastic	kibana	< 8.14.2	Yes

References

https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/ Vendor Advisory ([email protected])