CVE-2019-7609: Kibana Arbitrary Code Execution
First published: Mon Mar 25 2019(Updated: )
Kibana contain an arbitrary code execution flaw in the Timelion visualizer.
Credit: bressers@elastic.co bressers@elastic.co bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | <5.6.15 | |
| Elastic Kibana | >=6.0.0<6.6.1 | |
| Redhat Openshift Container Platform | =3.11 | |
| Redhat Openshift Container Platform | =4.1 | |
| redhat/kibana | <5.6.15 | 5.6.15 |
| redhat/kibana | <6.6.1 | 6.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2860
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
- https://www.elastic.co/community/security
- https://access.redhat.com/security/cve/cve-2019-7609
- https://bugzilla.redhat.com/show_bug.cgi?id=1696030
- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
Frequently Asked Questions
What is CVE-2019-7609?
CVE-2019-7609 is a vulnerability that exists in Kibana versions before 5.6.15 and 6.6.1, allowing an attacker to execute arbitrary code.
Which applications are affected by CVE-2019-7609?
Kibana versions before 5.6.15 and 6.6.1 are affected by CVE-2019-7609.
What is the severity of CVE-2019-7609?
CVE-2019-7609 has a severity level of critical.
How can an attacker exploit CVE-2019-7609?
An attacker with access to the Timelion application in Kibana could send a request to execute JavaScript code.
How can I mitigate the vulnerability?
To mitigate the vulnerability, update your Kibana installation to version 5.6.15 or above for Kibana 5.x, or version 6.6.1 or above for Kibana 6.x.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/title
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-7609
- agent/software-canonical-lookup
- agent/description
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/tags
- collector/nvd-cve
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/6.0.0
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- version/redhat openshift container platform/4.1
- package-manager/redhat