CVE-2018-3823

Published: Sep 19, 2018Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.

Affected (6)

Products: Elastic: Elasticsearch X Pack, Kibana X Pack, Logstash X Pack

3 products

Elasticsearch X Pack

Logstash X Pack

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch X Pack	Before 5.6.9
Elastic Elasticsearch X Pack	From 6.0.0 to 6.2.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana X Pack	Before 5.6.9
Elastic Kibana X Pack	From 6.0.0 to 6.2.4

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Logstash X Pack	Before 5.6.9
Elastic Logstash X Pack	From 6.1.0 to 6.2.4

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Source: security@elastic.co

Vendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.