CVE-2019-7610: Command Injection
First published: Mon Mar 25 2019(Updated: )
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kibana | <5.6.15 | 5.6.15 |
| redhat/kibana | <6.6.1 | 6.6.1 |
| Elastic Kibana | <5.6.15 | |
| Elastic Kibana | >=6.0.0<6.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this security flaw?
The vulnerability ID for this security flaw is CVE-2019-7610.
What is the severity level of CVE-2019-7610?
CVE-2019-7610 has a severity level of critical.
Which software versions are affected by CVE-2019-7610?
Kibana versions before 6.6.1 and 5.6.15 are affected by CVE-2019-7610.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by sending a request that attempts to execute JavaScript code.
Are there any remedies available for CVE-2019-7610?
Yes, the remedy for CVE-2019-7610 is to update to Kibana version 6.6.1 or 5.6.15.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-7610
- agent/software-canonical-lookup
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/6.0.0
- package-manager/redhat