CVE-2019-7616: SSRF
First published: Tue Jul 30 2019(Updated: )
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | <6.8.2 | |
| Elastic Kibana | >=7.0.0<7.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Kibana vulnerability?
The vulnerability ID for this Kibana vulnerability is CVE-2019-7616.
What is the severity rating of CVE-2019-7616?
CVE-2019-7616 has a severity rating of medium (4.9).
Which versions of Kibana are affected by CVE-2019-7616?
Kibana versions before 6.8.2 and 7.2.1 are affected by CVE-2019-7616.
What is the vulnerability described in CVE-2019-7616?
CVE-2019-7616 is a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer in Kibana.
How can an attacker exploit CVE-2019-7616?
An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL, potentially leading to an attack.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/7.0.0