PT-2020-19337 · Elastic · Kibana

Published

2020-06-03

Updated

2020-08-14

CVE-2020-7012

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kibana versions 6.7.0 through 6.8.8 Kibana versions 7.0.0 through 7.6.2

Description The issue is related to a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code, potentially leading to an attacker executing code with the permissions of the Kibana process on the host system.

Recommendations For Kibana versions 6.7.0 through 6.8.8, update to a version outside of this range to mitigate the risk. For Kibana versions 7.0.0 through 7.6.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Upgrade Assistant to minimize the risk of exploitation.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2020-7012

Affected Products

Kibana

PT-2020-19337 · Elastic · Kibana

CVE-2020-7012

Weakness Enumeration

Related Identifiers

Affected Products

References · 4