CVE-2021-22151 — Path Traversal in Kibana

CWE-22 — Path Traversal4 documents4 sources

Severity

4.3MEDIUMNVD

CNA3.1

EPSS

0.6%

top 30.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Kibana

Timeline

PublishedNov 22

Description

It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5elastic/kibana7.9.0 — 7.14.0

▶NVDelastic/kibana7.9.0 — 7.14.0

🔴Vulnerability Details

CVEList

Kibana path traversal issue↗2023-11-22

▶

GHSA

GHSA-rj62-3vmp-2f6j: It was discovered that Kibana was not validating a user supplied path, which would load↗2023-11-22

▶

💬Community

HackerOne

Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows↗2021-11-15

▶