CVEブラウザに戻る

CVE-2019-7609

Known Exploited (CISA KEV)CRITICAL

10.0

CVSS Severity Score

EPSS Score53.7390%

EPSS Percentile88.27th

Published2019年3月25日

Last Modified2025年11月7日

Vulnerability Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Platforms (CPE)

📦

Elastic

Kibana

< 5.6.15

📦

Elastic

Kibana

>= 6.0.0 and < 6.6.1

📦

Redhat

Openshift Container Platform

= 3.11

📦

Redhat

Openshift Container Platform

= 4.1

References & Advisories

🔗 http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html

🔗 https://access.redhat.com/errata/RHBA-2019:2824

🔗 https://access.redhat.com/errata/RHSA-2019:2860

🔗 https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

🔗 https://www.elastic.co/community/security

🔗 http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html

🔗 https://access.redhat.com/errata/RHBA-2019:2824

🔗 https://access.redhat.com/errata/RHSA-2019:2860

関連する脆弱性情報

CVE-2018-172469.8

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to...

CVE-2018-172459.8

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when ge...

CVE-2019-76109.0

Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the s...

CVE-2019-134238.8

Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impers...