CVE-2021-37938: 
Kibana vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Kibana (CVE-2021-37938) affecting Windows operating systems. The vulnerability exists because Kibana failed to validate user-supplied paths when loading .pbf files, allowing malicious users to traverse the Kibana host directory structure arbitrarily to access internal files with .pbf extensions. This vulnerability affects Kibana versions from 7.9.0 through 7.15.1 and was discovered by Dominic Couture (Elastic Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-269 (Improper Privilege Management). The technical issue stems from insufficient path validation specifically on Windows operating systems when handling .pbf files (NVD).

When exploited, this vulnerability allows an authenticated malicious user to access internal files with .pbf extensions on the Kibana host system through directory traversal. The impact is limited to confidentiality breach with no direct impact on integrity or availability of the system (NVD).

The vulnerability was addressed in Kibana version 7.15.2. Users running affected versions (7.9.0 through 7.15.1) should upgrade to version 7.15.2 or later to mitigate this security issue (Elastic Advisory).