First published: Mon Mar 25 2019(Updated: )
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Credit: bressers@elastic.co bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Kibana | <5.6.15 | |
Elastic Kibana | >=6.0.0<6.6.1 | |
redhat/kibana | <5.6.15 | 5.6.15 |
redhat/kibana | <6.6.1 | 6.6.1 |
<5.6.15 | ||
>=6.0.0<6.6.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this security flaw is CVE-2019-7610.
CVE-2019-7610 has a severity level of critical.
Kibana versions before 6.6.1 and 5.6.15 are affected by CVE-2019-7610.
An attacker can exploit this vulnerability by sending a request that attempts to execute JavaScript code.
Yes, the remedy for CVE-2019-7610 is to update to Kibana version 6.6.1 or 5.6.15.