Vulnerability Description
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elastic | Elasticsearch X-Pack | < 5.6.9 |
| Elastic | Kibana X-Pack | < 5.6.9 |
| Elastic | Logstash X-Pack | < 5.6.9 |
Related Weaknesses (CWE)
References
- https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/12842Vendor Advisory
- https://www.elastic.co/community/securityVendor Advisory
- https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/12842Vendor Advisory
- https://www.elastic.co/community/securityVendor Advisory
FAQ
What is CVE-2018-3823?
CVE-2018-3823 is a vulnerability with a CVSS score of 5.4 (MEDIUM). X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their co...
How severe is CVE-2018-3823?
CVE-2018-3823 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-3823?
Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elasticsearch X-Pack, Elastic Kibana X-Pack, Elastic Logstash X-Pack.