Advisories

Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index

Go Back
severity
critical
date
Affecting
  • wazuh >= 5.0.0-beta1, < 5.0.0-beta3

CWE
  • CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSS
10.0
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Credit
TarPeg007, juliancnn
Description
Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin credentials, enabling document deletion, alert tampering, and cross-agent SIEM state manipulation.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.