EIQ-2019-0011#

ID

EIQ-2019-0011

CVE

CVE-2019-7610

Description

Kibana security audit logger could allow arbitrary code execution

Date

12 Mar 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.3.4

Assessment

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger.

If xpack.security.audit.enabled is set to true in a Kibana instance, an attacker could send a request to attempt and execute JavaScript code.

This could lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Mitigation

Upgrade to Kibana 5.6.15 or 6.6.1.

Affected versions

2.3.3 and earlier.

Notes

If it is not specified in the kibana.yml configuration file, xpack.security.audit.enabled defaults to false.