← back
CVE-2019-7609

CVE-2019-7609

CVSS 9.8 CRITICALEPSS 95.3%● KEVCWE-94
In short

Kibana's Timelion visualizer allows attackers with application access to execute arbitrary JavaScript code, which can lead to running commands on the server with Kibana's permissions.

Technical detail

CVE-2019-7609 is an arbitrary code execution vulnerability in Timelion visualizer (CWE-94: Improper Control of Generation of Code) affecting Kibana versions before 5.6.15 and 6.6.1. An authenticated attacker can craft a malicious request to inject and execute JavaScript, potentially achieving remote code execution with the privileges of the Kibana process on the host system.

Summary generated and translated by AI from the official description.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Elastic · Kibana
public PoCs found13
githubgithub.com/LandGrey/CVE-2019-7609167githubgithub.com/jas502n/kibana-RCE89githubgithub.com/mpgn/CVE-2019-760956githubgithub.com/hekadan/CVE-2019-760921githubgithub.com/Cr4ckC4t/cve-2019-76094githubgithub.com/rhbb/CVE-2019-76091githubgithub.com/dnr6419/CVE-2019-76091githubgithub.com/Akshay15-png/CVE-2019-76091githubgithub.com/toxxxaka/CVE-2019-76090githubgithub.com/wolf1892/CVE-2019-76090githubgithub.com/d0x-awrqxavc/CVE-2019-7609-KibanaRCE0githubgithub.com/aleister1102/kibana-prototype-pollusion0cve_referencepacketstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.htmlhttps://access.redhat.com/errata/RHBA-2019:2824https://access.redhat.com/errata/RHSA-2019:2860https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7609https://www.elastic.co/community/security