CVE-2018-3824

Published: Sep 19, 2018Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

Affected (6)

Products: Elastic: Elasticsearch X Pack, Kibana X Pack, Logstash X Pack

3 products

Elasticsearch X Pack

Logstash X Pack

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch X Pack	Before 5.6.9
Elastic Elasticsearch X Pack	From 6.0.0 to 6.2.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana X Pack	Before 5.6.9
Elastic Kibana X Pack	From 6.0.0 to 6.2.4

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Logstash X Pack	Before 5.6.9
Elastic Logstash X Pack	From 6.1.0 to 6.2.4

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Source: security@elastic.co

Vendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.