Arbitrary Code Injection Affecting kibana package, versions >=8.7.0 <8.7.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-KIBANA-5497344
- published 5 May 2023
- disclosed 5 May 2023
- credit Unknown
Introduced: 5 May 2023
CVE-2023-31415 Open this link in a new tabHow to fix?
Upgrade kibana to version 8.7.1 or higher.
Overview
kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.
Affected versions of this package are vulnerable to Arbitrary Code Injection such that an attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
Note:
This issue affects Kibana instances running on Elastic Cloud but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).