CyberSec.Space Logo
Back to CVE Browser

CVE-2019-7610

CRITICAL
9.0
CVSS Severity Score
EPSS Score0.0110%
EPSS Percentile38.15th
PublishedMar 25, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Platforms (CPE)

πŸ“¦
Elastic

Kibana

< 5.6.15
πŸ“¦
Elastic

Kibana

>= 6.0.0 and < 6.6.1

References & Advisories

πŸ”— https://access.redhat.com/errata/RHBA-2019:2824
πŸ”— https://access.redhat.com/errata/RHSA-2019:2860
πŸ”— https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
πŸ”— https://www.elastic.co/community/security
πŸ”— https://access.redhat.com/errata/RHBA-2019:2824
πŸ”— https://access.redhat.com/errata/RHSA-2019:2860
πŸ”— https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
πŸ”— https://www.elastic.co/community/security

Related Vulnerabilities

CVE-2019-760910.0

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with acce...

CVE-2018-172459.8

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when ge...

CVE-2018-172469.8

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to...

CVE-2019-134238.8

Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impers...