CVE-2019-7609

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

History

24 Jul 2024, 16:58

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 - Mitigation, Vendor Advisory () https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 - Vendor Advisory
References () https://www.elastic.co/community/security - Vendor Advisory () https://www.elastic.co/community/security - Broken Link, Vendor Advisory

08 Sep 2023, 23:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html -

Information

Published : 2019-03-25 19:29

Updated : 2024-07-24 16:58


NVD link : CVE-2019-7609

Mitre link : CVE-2019-7609

CVE.ORG link : CVE-2019-7609


JSON object : View

Products Affected

redhat

  • openshift_container_platform

elastic

  • kibana
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')