Vulnerability Details : CVE-2019-7609
Public exploit exists!
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Products affected by CVE-2019-7609
- cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
- cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*
CVE-2019-7609 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Kibana Arbitrary Code Execution
CISA required action:
Apply updates per vendor instructions.
CISA description:
Kibana contain an arbitrary code execution flaw in the Timelion visualizer.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2019-7609
Added on
2022-01-10
Action due date
2022-07-10
Exploit prediction scoring system (EPSS) score for CVE-2019-7609
94.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2019-7609
-
Kibana Timelion Prototype Pollution RCE
Disclosure Date: 2019-10-30First seen: 2023-09-11exploit/linux/http/kibana_timelion_prototype_pollution_rceKibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execut
CVSS scores for CVE-2019-7609
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-07 |
|
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
NIST |
CWE ids for CVE-2019-7609
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by:
- bressers@elastic.co (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-7609
-
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
Kibana Timelion Prototype Pollution Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Elastic Stack 6.6.1 and 5.6.15 security update - Security Announcements - Discuss the Elastic StackVendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2860
RHSA-2019:2860 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.elastic.co/community/security
Elastic Stack Security Disclosures · Report Issues | ElasticBroken Link;Vendor Advisory
-
https://access.redhat.com/errata/RHBA-2019:2824
Third Party Advisory
Jump to