Imechapishwa: Mar 07, 2025 17:15
Advisory No: TZCERT-SA-25-0066
Source: Elastic
Software Affected: Kibana versions 8.15.0 to 8.17.2
Elastic has released Kibana 8.17.3 to address a prototype pollution vulnerability in Kibana version 8.15.0 to 8.17.2. Exploitation of this vulnerability may allow an attacker to execute arbitrary code through crafted file uploads and HTTP requests.
Elastic has issued a critical security update for its Kibana data visualization dashboard, addressing a prototype pollution vulnerability (CVE-2025-25012) with a CVSS score of 9.9. This flaw allows attackers to execute arbitrary code through crafted file uploads and HTTP requests. In Kibana versions 8.15.0 to 8.17.0, the vulnerability is exploitable by users with the Viewer role. For versions 8.17.1 and 8.17.2, exploitation requires privileges such as 'fleet-all', 'integrations-all', and 'actions:execute-advanced-connectors'.
Successful exploitation of this vulnerability allows an attacker to take control of affected system.
Elastic has released security patches for this vulnerability. Users and administrators are encouraged to upgrade to Kibana version 8.17.3. For those unable to upgrade immediately, a temporary mitigation is to set xpack.integration_assistant.enabled: false in Kibana’s configuration.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
