HomePentest-Tools.com Logo

Elastic Kibana < 6.8.2, 7.x < 7.2.1 Multiple Vulnerabilities (ESA-2019-09, ESA-2019-10) - Windows CVE-2019-7616CVE-2019-10744

Severity
CVSSv3 Score
4.9
Vulnerability description

Kibana is prone to multiple vulnerabilities.

Risk description

The following vulnerabilities exist: - A server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. (CVE-2019-7616) - A prototype pollution flaw exists in lodash, a component used by KIbana. An attacker with access to Kibana may be able to use this lodash flaw to unexpectedly modify internal Kibana data. (CVE-2019-10744) - CVE-2019-7616: This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. Successful exploitation would allow an attacker to read sensitive information. - CVE-2019-10744: Prototype pollution can be leveraged to execute a cross-site-scripting (XSS), denial of service (DoS), or Remote Code Execution attack against Kibana.

Recommendation

Update to version 6.8.2 or 7.2.1 respectively.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Jul 26, 2019
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available