CVE-2021-22150

Summary

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.

Affected Software

VendorProductVersion RangeStatus
ElasticKibana7.10.2 < 7.14.0affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References