Lucene search

ElasticCVE-2019-7609

HistoryMar 25, 2019 - 7:29 p.m.

CVE-2019-7609

2019-03-2519:29:02

CWE-94

elastic

web.nvd.nist.gov

988

In Wild

kibana

cve-2019-7609

timelion

code execution

nvd

security vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.973

Percentile

99.9%

JSON

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected configurations

Nvd

Node

elastickibanaRange<5.6.15

elastickibanaRange6.0.0–6.6.1

Node

redhatopenshift_container_platformMatch3.11

redhatopenshift_container_platformMatch4.1

VendorProductVersionCPE
elastickibana*cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
redhatopenshift_container_platform3.11cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
redhatopenshift_container_platform4.1cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
elastic	kibana	*	cpe:2.3:a:elastic:kibana::::::::
redhat	openshift_container_platform	3.11	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
redhat	openshift_container_platform	4.1	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*

CNA Affected

[
  {
    "vendor": "Elastic",
    "product": "Kibana",
    "versions": [
      {
        "version": "before 5.6.15 and 6.6.1",
        "status": "affected"
      }
    ]
  }
]