{"id":"CVE-2018-17246","details":"Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.","modified":"2026-06-26T03:54:57.317955430Z","published":"2018-12-20T22:29:00.367Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:openshift_container_platform","extracted_events":[{"last_affected":"3.11"}]}]},"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106285"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHBA-2018:3743"},{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594"},{"type":"ADVISORY","url":"https://www.elastic.co/community/security"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"253032b4a7818992af360097e3ddc1475fa7b044"},{"fixed":"4d5320bd33d4392a48dda37c4602dbe1b6a5b6cb"},{"introduced":"8f0685b924b9159807704ec2593b26e28105da44"},{"fixed":"fe40335c1e4fa7db9e38001fa99d19526f3bc5ce"}],"database_specific":{"extracted_events":[{"introduced":"5.0.0"},{"fixed":"5.6.13"},{"introduced":"6.0.0"},{"fixed":"6.4.3"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17246.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"c5af7a418333df6a934b8d1a5648c675641388bd"},{"fixed":"689427c076a5a45dc59d113df04bd4522c105391"},{"introduced":"f8bc449f5a6b28d0597730b1cf03fefe7e33422e"},{"fixed":"968768f01f873fec244749abc3c6e939d0e3eda0"}],"database_specific":{"extracted_events":[{"introduced":"5.0.0"},{"fixed":"5.6.13"},{"introduced":"6.0.0"},{"fixed":"6.4.3"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17246.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}