CyberSec.Space Logo
Back to CVE Browser

CVE-2019-7609

Known Exploited (CISA KEV)CRITICAL
10.0
CVSS Severity Score
EPSS Score53.7390%
EPSS Percentile88.27th
PublishedMar 25, 2019
Last ModifiedNov 7, 2025

Vulnerability Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Platforms (CPE)

πŸ“¦
Elastic

Kibana

< 5.6.15
πŸ“¦
Elastic

Kibana

>= 6.0.0 and < 6.6.1
πŸ“¦
Redhat

Openshift Container Platform

= 3.11
πŸ“¦
Redhat

Openshift Container Platform

= 4.1

References & Advisories

πŸ”— http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
πŸ”— https://access.redhat.com/errata/RHBA-2019:2824
πŸ”— https://access.redhat.com/errata/RHSA-2019:2860
πŸ”— https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
πŸ”— https://www.elastic.co/community/security
πŸ”— http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
πŸ”— https://access.redhat.com/errata/RHBA-2019:2824
πŸ”— https://access.redhat.com/errata/RHSA-2019:2860

Related Vulnerabilities

CVE-2018-172469.8

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to...

CVE-2018-172459.8

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when ge...

CVE-2019-76109.0

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the s...

CVE-2019-134238.8

Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impers...