Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHBA-2019:2824 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:2860 | Third Party Advisory |
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 | Vendor Advisory |
https://www.elastic.co/community/security | Broken Link Vendor Advisory |
Configurations
History
24 Jul 2024, 16:58
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry | |
References | () https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 - Vendor Advisory | |
References | () https://www.elastic.co/community/security - Broken Link, Vendor Advisory |
Information
Published : 2019-03-25 19:29
Updated : 2024-07-24 16:58
NVD link : CVE-2019-7609
Mitre link : CVE-2019-7609
CVE.ORG link : CVE-2019-7609
JSON object : View
Products Affected
redhat
- openshift_container_platform
elastic
- kibana
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')