Arbitrary Code Injection Affecting kibana package, versions >=8.0.0 <8.7.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-KIBANA-5497343
- published 5 May 2023
- disclosed 5 May 2023
- credit Unknown
Introduced: 5 May 2023
CVE-2023-31414 Open this link in a new tabHow to fix?
Upgrade kibana to version 8.7.1 or higher.
Overview
kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.
Affected versions of this package are vulnerable to Arbitrary Code Injection such that an attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
Note:
This issue does not affect Kibana instances running on Elastic Cloud as the payload required to trigger this vulnerability cannot be set in Kibana’s configuration.
This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).