kibana is an open source (Apache Licensed), browser-based analytics and search dashboard for Elasticsearch.

Affected versions of this package are vulnerable to Prototype Pollution due to improper input validation, allowing exploitation through a crafted file upload and specifically crafted HTTP requests. By exploiting the prototype pollution vulnerability, an attacker can execute arbitrary code.

In Kibana versions >= 8.15.0 and < 8.17.1, exploiting this vulnerability requires the attacker to have a Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

Note:

The code execution impact is limited to the Kibana Docker container.

This issue does not affect self-managed Kibana instances on Basic or Platinum licenses.

dment This issue was found to be a duplicate. The original vulnerability with details can be found [here](https://security.snyk.io/vuln/through the deletion of a critical dependency which could be maliciously claimed by a third party. An attacker can execute arbitrary code on the system by installing compromised development dependencies.).

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel through the default REST endpoints. An attacker can bypass authentication controls and potentially log in as an existing user without proper credentials by exploiting these endpoints. This is only exploitable if custom REST endpoints are provided by developers but the default endpoints are not disabled.