Bug 1130632 - (CVE-2019-7610) VUL-0: CVE-2019-7610: kibana: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could se
(CVE-2019-7610)
VUL-0: CVE-2019-7610: kibana: Kibana versions before 5.6.15 and 6.6.1 contain...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Critical
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/227092/
CVSSv2:NVD:CVE-2019-7610:9.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-27 07:16 UTC by Marcus Meissner
Modified: 2019-11-19 17:21 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-27 07:16:26 UTC
CVE-2019-7610

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw
in the security audit logger. If a Kibana instance has the setting
xpack.security.audit.enabled set to true, an attacker could send a request that
will attempt to execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on the host
system.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7610
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://www.elastic.co/community/security
Comment 2 Marcus Meissner 2019-03-28 05:35:11 UTC
We do not install xpack -> we are not affected.