Detections
Analytics

CVE-2019-7609

critical

Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

From the Tenable Blog

CVE-2019-7609: Exploit Script Available for Kibana Remote Code Execution Vulnerability
CVE-2019-7609: Exploit Script Available for Kibana Remote Code Execution Vulnerability

Published: 2019-10-22

An exploit script for the previously patched Kibana vulnerability is now available on GitHub. Background On October 21, an exploit script was published to GitHub for a patched vulnerability in Kibana, the open-source data visualization plugin for Elasticsearch. Elasticsearch and Kibana are part of the popular Elastic Stack (also known as ELK Stack), a series of open-source applications used for centralized log management.

References

https://access.redhat.com/errata/RHSA-2019:2860

https://access.redhat.com/errata/RHBA-2019:2824

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

https://www.tenable.com/blog/government-advisories-warn-of-apt-activity-resulting-from-russian-invasion-of-ukraine

https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability

https://www.elastic.co/community/security

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2019-03-25

Updated: 2025-03-13

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.94448