BID:106285

Kibana CVE-2018-17246 Local File Include Vulnerability

CVE-2018-17246 |

Info

Kibana CVE-2018-17246 Local File Include Vulnerability

Bugtraq ID:	106285
Class:	Input Validation Error
CVE:	CVE-2018-17246
Remote:	Yes
Local:	No
Published:	Dec 20 2018 12:00AM
Updated:	Dec 20 2018 12:00AM
Credit:	Nethanel Coppenhagen from CyberArk Labs.
Vulnerable:	Elasticsearch Kibana 6.4.2 Elasticsearch Kibana 6.4 Elasticsearch Kibana 6.3 Elasticsearch Kibana 6.2 Elasticsearch Kibana 6.1.2 Elasticsearch Kibana 6.1.1 Elasticsearch Kibana 6.1 Elasticsearch Kibana 6.0 Elasticsearch Kibana 5.6.12 Elasticsearch Kibana 5.6.6 Elasticsearch Kibana 5.6.5 Elasticsearch Kibana 5.6.4 Elasticsearch Kibana 5.6.3 Elasticsearch Kibana 5.6.2 Elasticsearch Kibana 5.6.1 Elasticsearch Kibana 5.6 Elasticsearch Kibana 5.5 Elasticsearch Kibana 5.4 Elasticsearch Kibana 5.3 Elasticsearch Kibana 5.2 Elasticsearch Kibana 5.1.2 Elasticsearch Kibana 5.0

Not Vulnerable:	Elasticsearch Kibana 6.4.3 Elasticsearch Kibana 5.6.13

Discussion

Kibana CVE-2018-17246 Local File Include Vulnerability

Kibana is prone to a local file-include vulnerability.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

The following versions of product are vulnerable:

Kibana 5.0 through 5.5.12 are vulnerable.
Kibana 6.0 through 6.4.2 are vulnerable.

Exploit / POC

Kibana CVE-2018-17246 Local File Include Vulnerability

An exploit is available. Please see the references for more information.

Solution / Fix

Kibana CVE-2018-17246 Local File Include Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Kibana CVE-2018-17246 Local File Include Vulnerability

References:

Elastic Stack 6.4.3 and 5.6.13 security update (Elastic)
Github Kibana Commit (Github)
Github Kibana Repository (Github)
Kibana Home Page (Kibana)
Kibana Local File Inclusion Flaw CVE-2018-17246 (Kibana)
Kibana Product Page (kibana)
A Local File Inclusion in Kibana allows attackers to run local JavaScript files (Cyberark)
CVE-2018-17246 kibana: Arbitrary file inclusion vulnerability in the Console plu (Redhat)
Red Hat Bugzilla �?? Bug 1647344 (Red Hat Bugzilla)