CVE-2021-22150 MEDIUM

CVE-2021-22150: Kibana code execution issue

Vendor Elastic
Product Kibana
Weakness CWE-94 · Code injection
Published November 22, 2023
Last update December 2, 2024

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.

Key dates

02Disclosure timeline

November 22, 2023 CVE published
December 2, 2024 Record updated