Rewterz Threat Advisory – Multiple Elastic Kibana Vulnerabilities
May 5, 2023Rewterz Threat Advisory – CVE-2022-45048 – Apache Ranger Vulnerability
May 5, 2023Rewterz Threat Advisory – Multiple Elastic Kibana Vulnerabilities
May 5, 2023Rewterz Threat Advisory – CVE-2022-45048 – Apache Ranger Vulnerability
May 5, 2023Severity
Medium
Analysis Summary
CVE-2023-31414 CVSS:8.2
Elastic Kibana could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper input validation. By sending a specially crafted payload, an attacker could exploit this vulnerability to execute arbitrary code with permissions of the Kibana process on the system.
CVE-2023-31415 CVSS:9.9
Elastic Kibana could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the Uptime/Synthetics feature. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with permissions of the Kibana process on the system.
Impact
- Code Execution
Indicators Of Compromise
CVE
- CVE-2023-31414
- CVE-2023-31415
Affected Vendors
Elastic
Affected Products
- Elastic Kibana 8.0.0 to 8.7.0
Remediation
Refer to Elasticsearch for patch, upgrade or suggested workaround information.