CVEs-PoC/2021/CVE-2021-22150.md

### [CVE-2021-22150](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22150)
![](https://img.shields.io/static/v1?label=Product&message=Kibana&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=7.10.2%3C%207.14.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%3A%20Improper%20Control%20of%20Generation%20of%20Code&color=brighgreen)

### Description

It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server.

### POC

#### Reference
- https://www.elastic.co/community/security

#### Github
No PoCs found on GitHub currently.