CVE-2018-17246
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17246.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-17246
- Downstream
- Published
- 2018-12-20T22:29:00.367Z
- Modified
- 2025-12-11T02:00:28.301314Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
- References
Affected packages
Git / github.com/elastic/elasticsearch
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/elastic/elasticsearch/commit/4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb",
"id": "CVE-2018-17246-1071202d",
"digest": {
"function_hash": "301237062243750302052828055619886557208",
"length": 745.0
},
"target": {
"file": "test/framework/src/main/java/org/elasticsearch/test/discovery/ClusterDiscoveryConfiguration.java",
"function": "unicastHostPorts"
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"source": "https://github.com/elastic/elasticsearch/commit/4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb",
"id": "CVE-2018-17246-9d70779f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"174016456637773374405263839854623907758",
"65899717440937260928258610683341589212",
"140206647680195545314612796676295510306",
"178752616638806026573619557373683246684"
]
},
"target": {
"file": "test/framework/src/main/java/org/elasticsearch/test/discovery/ClusterDiscoveryConfiguration.java"
},
"signature_type": "Line",
"deprecated": false
}
]