CVE-2019-7609
Published: 25 March 2019
Summary
CVE-2019-7609 is a critical-severity Code Injection (CWE-94) vulnerability in Elastic Kibana. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer, tracked as CVE-2019-7609 with CWE-94. The issue permits an attacker to submit a request that attempts to execute JavaScript code within the affected component, carrying a CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with access to the Timelion application can exploit the flaw to run arbitrary commands on the underlying host using the permissions of the Kibana process. This can result in full compromise of confidentiality, integrity, and availability on the affected system.
Elastic security advisories and corresponding Red Hat errata direct users to apply the updates released in versions 5.6.15 and 6.6.1. Additional guidance appears in Elastic's coordinated disclosure notice and community security announcement.
Public references include a detailed exploit description on PacketStorm, confirming the prototype-pollution vector that leads to remote code execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-17147
Vulnerability details
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to…
more
an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unsanitized Timelion request that performs prototype-pollution leading to arbitrary JavaScript execution.
Disables or removes the Timelion visualizer (or Kibana entirely) so the vulnerable code path cannot be reached.
Runs the Kibana process under minimal OS privileges, limiting the commands an attacker can execute after successful exploitation.