{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-7609", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "dateUpdated": "2024-08-04T20:54:28.529Z", "dateReserved": "2019-02-07T00:00:00", "datePublished": "2019-03-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2023-09-08T22:06:37.465771"}, "descriptions": [{"lang": "en", "value": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system."}], "affected": [{"vendor": "Elastic", "product": "Kibana", "versions": [{"version": "before 5.6.15 and 6.6.1", "status": "affected"}]}], "references": [{"url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077"}, {"url": "https://www.elastic.co/community/security"}, {"name": "RHSA-2019:2860", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2860"}, {"name": "RHBA-2019:2824", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"url": "http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:54:28.529Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077", "tags": ["x_transferred"]}, {"url": "https://www.elastic.co/community/security", "tags": ["x_transferred"]}, {"name": "RHSA-2019:2860", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2860"}, {"name": "RHBA-2019:2824", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"url": "http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html", "tags": ["x_transferred"]}]}]}}

{}

{"cisaActionDue": "2022-07-10", "cisaExploitAdd": "2022-01-10", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Kibana Arbitrary Code Execution", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "54F3E4CC-2877-4CA8-A2EB-3CB9F32855E2", "versionEndExcluding": "5.6.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "9870EC64-EDCA-436F-BE44-827E8ECA38F9", "versionEndExcluding": "6.6.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system."}, {"lang": "es", "value": "Las versiones anteriores a las 5.6.15 y 6.6.1 de Kibana contienen un error de ejecuci\u00f3n de c\u00f3digo arbitrario en el visualizador Timelion. Un atacante con acceso a la aplicaci\u00f3n Timelion podr\u00eda enviar una petici\u00f3n que intente ejecutar c\u00f3digo javascript. Esto podr\u00eda resultar en que un atacante ejecute comandos arbitrarios con permisos del proceso de Kibana en el sistema host."}], "id": "CVE-2019-7609", "lastModified": "2024-11-21T04:48:23.680", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-25T19:29:02.147", "references": [{"source": "bressers@elastic.co", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2860"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077"}, {"source": "bressers@elastic.co", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://www.elastic.co/community/security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:2824"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2860"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://www.elastic.co/community/security"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "bressers@elastic.co", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/apb-base:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/apb-tools:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/automation-broker-apb:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/csi-attacher:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/csi-driver-registrar:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/csi-livenessprobe:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/csi-provisioner:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/grafana:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/jenkins-slave-base-rhel7:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/jenkins-slave-maven-rhel7:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/jenkins-slave-nodejs-rhel7:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/local-storage-provisioner:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/logging-fluentd:v3.11.146-4", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/manila-provisioner:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/mariadb-apb:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/mediawiki:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/mediawiki-apb:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/metrics-cassandra:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/metrics-hawkular-metrics:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/metrics-hawkular-openshift-agent:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/metrics-heapster:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/metrics-schema-installer:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/mysql-apb:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/node:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/oauth-proxy:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-ansible:v3.11.146-3", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-ansible-service-broker:v3.11.146-3", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-cli:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-cluster-autoscaler:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-cluster-capacity:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-cluster-monitoring-operator:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-configmap-reloader:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-console:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-control-plane:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-deployer:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-descheduler:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-docker-builder:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-docker-registry:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-efs-provisioner:v3.11.146-3", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-egress-dns-proxy:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-egress-http-proxy:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-egress-router:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-haproxy-router:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-hyperkube:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-hypershift:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-keepalived-ipfailover:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-kube-rbac-proxy:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-kube-state-metrics:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-curator5:v3.11.146-5", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-elasticsearch5:v3.11.146-4", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-eventrouter:v3.11.146-4", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-fluentd:v3.11.146-4", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-logging-kibana5:v3.11.146-6", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-cassandra:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-hawkular-metrics:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-hawkular-openshift-agent:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-heapster:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-schema-installer:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-metrics-server:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-node:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-node-problem-detector:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-operator-lifecycle-manager:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-ovn-kubernetes:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-pod:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-prometheus-config-reloader:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-prometheus-operator:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-recycler:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-service-catalog:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-template-service-broker:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-tests:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/ose-web-console:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/postgresql-apb:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/prometheus:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/prometheus-alertmanager:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/prometheus-node-exporter:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/registry-console:v3.11.146-1", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/snapshot-controller:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHBA-2019:2824", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift3/snapshot-provisioner:v3.11.146-2", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-09-24T00:00:00Z"}, {"advisory": "RHSA-2019:2860", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "kibana-0:5.6.16-2.el7", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-09-30T00:00:00Z"}], "bugzilla": {"description": "kibana: Arbitrary code execution flaw in the Timelion visualizer", "id": "1696030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696030"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.", "An arbitrary code execution flaw was found in the Timelion visualizer in Kibana versions before 5.6.15 and 6.6.1. This flaw allows an attacker with access to the Timelion application to send a request that attempts to execute javascript code. This could lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system."], "name": "CVE-2019-7609", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.4", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.4"}, {"cpe": "cpe:/a:redhat:openshift:3.5", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.5"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openstack-optools:8", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenStack Platform 8 (Liberty) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack-optools:9", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools"}], "public_date": "2019-02-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-7609\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-7609\nhttps://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "threat_severity": "Important", "upstream_fix": "kibana 5.6.15, kibana 6.6.1"}