Kibana Prototype Pollution Vulnerability Leading to Arbitrary Code Execution

A prototype pollution vulnerability has been identified in Kibana, allowing for arbitrary code execution. This issue arises from crafted HTTP requests sent to Kibana's machine learning and reporting endpoints. The vulnerability affects Kibana versions 8.3.0 through 8.17.5, 8.18.0, and 9.0.0. It is present in both self-hosted and Elastic Cloud deployments where the machine learning and reporting features are enabled.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the Kibana environment. In Elastic Cloud deployments, this execution is confined to the Kibana Docker container, although it could potentially be escalated under certain conditions.

Remediation

Users should upgrade to Kibana versions 8.17.6, 8.18.1, or 9.0.1. For those unable to upgrade, self-hosted users can disable either the Machine Learning or Reporting features. On Elastic Cloud, users can disable the Reporting feature by modifying the Kibana user settings.