CVE-2020-7012: Code Injection
First published: Wed Jun 03 2020(Updated: )
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Kibana | >=6.7.0<=6.8.8 | |
| Elastic Kibana | >=7.0.0<=7.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-7012?
CVE-2020-7012 is a vulnerability in Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 that allows an attacker to execute arbitrary code.
How severe is CVE-2020-7012?
CVE-2020-7012 has a severity rating of 8.8 (high).
What is the affected software for CVE-2020-7012?
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 are affected by CVE-2020-7012.
How can an attacker exploit CVE-2020-7012?
An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code.
Is there a fix or patch available for CVE-2020-7012?
Yes, Elastic has released a patch to fix CVE-2020-7012. It is recommended to update to the latest version of Kibana.
- collector/nvd-index
- vendor/elastic
- canonical/elastic kibana
- version/elastic kibana/6.7.0
- version/elastic kibana/6.8.8
- version/elastic kibana/7.0.0
- version/elastic kibana/7.6.2