Question related to ESA-2025-06 (security advisory)

Tears · March 6, 2025, 12:57pm

Hello,

ESA-2025-06 is a security advisory about a prototype pollution vulnerability. This avisory references the following CVE ID : CVE-2025-25012

Unless I'm mistaken, there is a different CVE ID in the mitre API for the very same vulnerability :

CVE-2025-25015 : Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

Is it a duplicate CVE or an error in ESA-2025-06 ?

Thank you in advance !

RylandHerrick · March 7, 2025, 2:26am

Thank you for the correction, @Tears. The referenced CVE was in fact a typo, and the advisory has since been amended.

Topic		Replies	Views
Kibana 8.17.3 Security Update (ESA-2025-06) Security Announcements	0	12110	March 5, 2025
Q rel ESA-2025-06 Elastic Security	6	78	March 12, 2025
Kibana 8.14.2 / 7.17.23 Security Update (ESA-2024-22) Security Announcements docker	6	15053	August 13, 2024
ELK Security Kibana	6	127	August 26, 2024
Kibana 7.17.23/8.14.0 Security Update (ESA-2024-16) Security Announcements	0	1618	July 30, 2024