CVE-2018-17246

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-17246

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17246.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-17246

Downstream

RHBA-2018:3743

Published

2018-12-20T22:29:00Z

Modified

2025-02-14T07:41:03Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

253032b4a7818992af360097e3ddc1475fa7b044

Fixed

4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb

Type: GIT
Repo: https://github.com/elastic/kibana
Events: Introduced

c5af7a418333df6a934b8d1a5648c675641388bd

Fixed

689427c076a5a45dc59d113df04bd4522c105391

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://github.com/elastic/elasticsearch/commit/4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb",
            "signature_version": "v1",
            "target": {
                "file": "test/framework/src/main/java/org/elasticsearch/test/discovery/ClusterDiscoveryConfiguration.java",
                "function": "unicastHostPorts"
            },
            "digest": {
                "function_hash": "301237062243750302052828055619886557208",
                "length": 745.0
            },
            "id": "CVE-2018-17246-1071202d"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://github.com/elastic/elasticsearch/commit/4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb",
            "signature_version": "v1",
            "target": {
                "file": "test/framework/src/main/java/org/elasticsearch/test/discovery/ClusterDiscoveryConfiguration.java"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "174016456637773374405263839854623907758",
                    "65899717440937260928258610683341589212",
                    "140206647680195545314612796676295510306",
                    "178752616638806026573619557373683246684"
                ]
            },
            "id": "CVE-2018-17246-9d70779f"
        }
    ]
}