Main Vulnerability Database Vulnerabilities #VU18083

#VU18083 Code Injection in Kibana - CVE-2019-7610

Published: March 27, 2019

Vulnerability identifier: #VU18083

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-7610

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Kibana

Software vendor:
Elastic Stack

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the security audit logger, if the setting xpack.security.audit.enabled set to true. A remote attacker can send a specially crafted request and execute arbitrary javascript code on the target system with privileges of the Kibana process on the host system.

Remediation

Install updates from vendor's website.

External links

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://www.elastic.co/community/security

#VU18083 Code Injection in Kibana - CVE-2019-7610

Description

Remediation

External links

Please verify you're human