CVE-2019-7610
N/A
N/A
Summary
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Elastic | Kibana | before 6.6.1 | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
- https://www.elastic.co/community/security
- https://access.redhat.com/errata/RHSA-2019:2860
- https://access.redhat.com/errata/RHBA-2019:2824
References
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
- https://www.elastic.co/community/security
- https://access.redhat.com/errata/RHSA-2019:2860
- https://access.redhat.com/errata/RHBA-2019:2824
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.