CVE-2023-31415

moderate-risk

Published 2023-05-04

Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.

Do I need to act?

0.83% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Kibana

Affected Vendors

Elastic

References (4)

Vendor Advisory https://discuss.elastic.co/t/kibana-8-7-1-security-updates/332330

Vendor Advisory https://www.elastic.co/community/security/

Vendor Advisory https://discuss.elastic.co/t/kibana-8-7-1-security-updates/332330

Vendor Advisory https://www.elastic.co/community/security/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal