Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02)

ismisepaul · April 8, 2025, 3:53pm

Kibana Prototype Pollution can lead to code injection (ESA-2025-02)

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

Affected Versions:
Kibana version 8.16.1 up to and including 8.17.1

Solutions and Mitigations:
Users should upgrade to version 8.16.4 and 8.17.2 or higher

For Users that cannot upgrade:
Customers who cannot upgrade to 8.16.4 or 8.17.2 and must stay on 8.16.1 can disable the integration assistant by setting xpack.integration_assistant.enabled: false in their kibana.yml configuration file.

Severity: CVSS v3.1: 8.7(High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVE ID: CVE-2024-12556

Topic		Replies	Views
Kibana 8.17.3 / 8.16.6 Security Update (ESA-2025-06) Security Announcements	0	14165	March 5, 2025
Question related to ESA-2025-02 (security advisory) Elastic Security	0	45	April 15, 2025
Elastic Stack 6.8.9 and 7.7.0 security update Security Announcements	1	9009	November 4, 2022
Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07) Security Announcements	0	6128	May 6, 2025
Question related to ESA-2025-06 (security advisory) Elastic Security	2	595	April 4, 2025

Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02)

Related topics