CVE-2018-3824
Last modified
CVE-2018-3824 is a vulnerability of currently unknown severity. X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.. EPSS estimates a 0.87% chance of exploitation in the next 30 days.
Description
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Elastic | Elasticsearch X-Pack | < 5.6.9 |
| Elastic | Elasticsearch X-Pack | >= 6.0.0, < 6.2.4 |
| Elastic | Kibana X-Pack | < 5.6.9 |
| Elastic | Kibana X-Pack | >= 6.0.0, < 6.2.4 |
| Elastic | Logstash X-Pack | < 5.6.9 |
| Elastic | Logstash X-Pack | >= 6.1.0, < 6.2.4 |
References
- https://www.elastic.co/community/securityVendor Advisory
- https://www.elastic.co/community/securityVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-3824?
How severe is CVE-2018-3824?
How do I fix CVE-2018-3824?
Are you affected by CVE-2018-3824?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST