CVE-2019-7609

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

CVSS v3 10.0 CRITICAL
CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

10.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html	Exploit Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHBA-2019:2824	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2860	Third Party Advisory
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077	Vendor Advisory
https://www.elastic.co/community/security	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:elastic:kibana::::::::
	cpe:2.3:a:elastic:kibana::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*

History

24 Jul 2024, 16:58

Type	Values Removed	Values Added
References	~~() http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html -~~	() http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References	~~() https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 - Mitigation, Vendor Advisory~~	() https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 - Vendor Advisory
References	~~() https://www.elastic.co/community/security - Vendor Advisory~~	() https://www.elastic.co/community/security - Broken Link, Vendor Advisory

Information

Published : 2019-03-25 19:29

Updated : 2024-07-24 16:58

NVD link : CVE-2019-7609

Mitre link : CVE-2019-7609

CVE.ORG link : CVE-2019-7609

JSON object : View

Products Affected

redhat

openshift_container_platform

elastic

kibana

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

10.0 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

10.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2019-7609

10.0^/10

10.0^/10

Attach tags to `CVE-2019-7609`