CVE-2018-3824: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 13, 2022 (updated January 8, 2024)

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

References

discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422
github.com/advisories/GHSA-mjpc-qx7h-r8c9
nvd.nist.gov/vuln/detail/CVE-2018-3824
www.elastic.co/community/security

Code Behaviors & Features

Detect and mitigate CVE-2018-3824 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →