PT-2020-19338 · Elastic · Kibana

Published

2020-06-03

Updated

2020-10-19

CVE-2020-7013

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kibana versions prior to 6.8.9 Kibana versions prior to 7.7.0

Description The issue is related to a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code, potentially leading to an attacker executing code with the permissions of the Kibana process on the host system.

Recommendations For versions prior to 6.8.9, update to version 6.8.9 or later. For versions prior to 7.7.0, update to version 7.7.0 or later. As a temporary workaround, consider restricting the creation of TSVB visualizations to trusted users until a patch is applied.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2020-7013

Affected Products

Kibana

PT-2020-19338 · Elastic · Kibana

CVE-2020-7013

Weakness Enumeration

Related Identifiers

Affected Products

References · 4