CVE-2020-7016 : Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw i

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

Published 2020-07-27 18:15:14

Updated 2022-11-16 03:54:41

Source Elastic

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2020-7016

Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Billing And Revenue Management » Version: 12.0.0.3.0
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.7.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.7.0:*:*:*:*:*:*:*
Matching versions
Elasticsearch » Kibana
Versions before (<) 6.8.11
cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:*:*:*
Matching versions
Elasticsearch » Kibana
Versions from including (>=) 7.0.0 and before (<) 7.8.1
cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7016

EPSS FAQ

0.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7016

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:N/A:P	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
4.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H	1.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-7016

CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Assigned by: bressers@elastic.co (Secondary)
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-7016

https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786

Elastic Stack 6.8.11 and 7.8.1 security update - Announcements / Security Announcements - Discuss the Elastic Stack
Release Notes;Vendor Advisory

CVEs referencing this url
https://www.elastic.co/community/security/

Elastic Stack Security Disclosures · Report Issues | Elastic
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-7016

Products affected by CVE-2020-7016

Exploit prediction scoring system (EPSS) score for CVE-2020-7016

CVSS scores for CVE-2020-7016

CWE ids for CVE-2020-7016

References for CVE-2020-7016