CVE-2019-7609

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

References

https://access.redhat.com/errata/RHBA-2019:2824

https://access.redhat.com/errata/RHSA-2019:2860

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

https://www.elastic.co/community/security

Details

Source: MITRE

Published: 2019-03-25

Updated: 2020-10-19

Type: CWE-94

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 10

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (5 total)

IDNameProductFamilySeverity
98982Kibana 6.x < 6.6.1 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98981Kibana < 5.6.15 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
701234Kibana 5.x < 5.6.15 / 6.x < 6.6.1 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
129396RHEL 7 : OpenShift Container Platform 4.1.18 (RHSA-2019:2860)NessusRed Hat Local Security Checks
critical
122589Kibana ESA-2019-01, ESA-2019-02, ESA-2019-03NessusCGI abuses
critical