CVE-2021-37938
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
Se ha detectado que en los sistemas operativos Windows específicamente, Kibana no estaba comprendiendo una ruta suministrada por el usuario, que cargaría archivos .pbf. Debido a esto, un usuario malicioso podría atravesar arbitrariamente el host de Kibana para cargar archivos internos que terminaran en la extensión .pbf. Gracias a Dominic Couture por encontrar esta vulnerabilidad.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-08-03 CVE Reserved
- 2021-11-18 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-269: Improper Privilege Management
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://discuss.elastic.co/t/kibana-7-15-2-security-update/288923 | 2021-11-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Elastic Search vendor "Elastic" | Kibana Search vendor "Elastic" for product "Kibana" | >= 7.9.0 < 7.15.2 Search vendor "Elastic" for product "Kibana" and version " >= 7.9.0 < 7.15.2" | - |
Affected
| ||||||