kibana is vulnerable to arbitrary code execution attacks. The vulnerability exists in the Timelion visualizer when running unflatten
, allowing an attacker to send a malicious request that will attempt to execute Javascript code, leading to arbitrary command execution on the host system.
CPE | Name | Operator | Version |
---|---|---|---|
kibana | eq | 5.1.1 | |
kibana | le | 6.6.0 | |
kibana | le | 5.6.14 | |
kibana | eq | 4.6.4__4.el7 | |
kibana | eq | 4.5.4__2.el7 | |
kibana | eq | 4.6.4__3.el7 | |
kibana | eq | 4.6.4__1.el7 | |
kibana | eq | 5.6.10__1.el7 | |
kibana | eq | 5.6.12__1.el7 | |
kibana | eq | 3.1.2__2.el7ost |
access.redhat.com/errata/RHBA-2019:2824
access.redhat.com/errata/RHSA-2019:2860
discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
github.com/elastic/kibana/commit/6e63c2c944d8aaa8d2a02904d6f7acf482a0dfd2
github.com/elastic/kibana/commit/888209a8645a7dcb4cf3b5fb4f3ab2930078a4c5
www.elastic.co/community/security