Incorrect permission assignment for critical resource in Kibana
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-7618 |
| CWE-ID | CWE-732 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Kibana Web applications / Other software |
| Vendor | Elastic Stack |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Incorrect permission assignment for critical resource
EUVDB-ID: #VU35199
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-7618
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
MitigationInstall update from vendor's website.
Vulnerable software versionsKibana: 7.3.0 - 7.3.2
External linkshttp://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831
http://staging-website.elastic.co/community/security
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
