EIQ-2019-0012#

ID

EIQ-2019-0012

CVE

CVE-2019-7609

Description

Kibana Timelion visualizer could allow arbitrary code execution

Date

12 Mar 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.3.4

Assessment

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.

If an attacker gains access to the Timelion application, they could send a request to attempt and execute JavaScript code.

This could lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Mitigation

Upgrade to Kibana 5.6.15 or 6.6.1.

Affected versions

2.3.3 and earlier.

Notes

It is possible to disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.