Bug 1172567 (CVE-2020-7015)

Summary: VUL-1: CVE-2020-7015: kibana: stored XSS flaw in the TSVB visualization
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Cloud Bugs <cloud-bugs>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/260688/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-06-05 11:00:53 UTC 
CVE-2020-7015

Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB
visualization. An attacker who is able to edit or create a TSVB visualization
could allow the attacker to obtain sensitive information from, or perform
destructive actions, on behalf of Kibana users who edit the TSVB visualization.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7015
https://www.elastic.co/community/security/
Comment 1 Robert Frohl 2020-06-05 11:07:50 UTC 
looks like TSVB or Time Series Visual Builder was only introduced with 5.4. We only ship older versons