{"containers": {"cna": {"affected": [{"product": "Kibana", "vendor": "Elastic", "versions": [{"status": "affected", "version": "before 6.8.11 and 7.8.1"}]}], "descriptions": [{"lang": "en", "value": "Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "description": "CWE-185: Incorrect Regular Expression", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-20T22:55:24", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.elastic.co/community/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2020-7016", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kibana", "version": {"version_data": [{"version_value": "before 6.8.11 and 7.8.1"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-185: Incorrect Regular Expression"}]}]}, "references": {"reference_data": [{"name": "https://www.elastic.co/community/security/", "refsource": "MISC", "url": "https://www.elastic.co/community/security/"}, {"name": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:18:03.007Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.elastic.co/community/security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2020-7016", "datePublished": "2020-07-27T18:00:15", "dateReserved": "2020-01-14T00:00:00", "dateUpdated": "2024-08-04T09:18:03.007Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "598008DD-95C5-442F-91C0-4A05C742FBF8", "versionEndExcluding": "6.8.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:*:*:*", "matchCriteriaId": "D880C23A-1226-42E5-8A51-D810E2FC46FB", "versionEndExcluding": "7.8.1", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39D442D-1997-49AF-8B02-5640BE2A26CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1CB33EB2-6D6A-424B-91AF-3F0EF7FCE470", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive."}, {"lang": "es", "value": "En Kibana versiones anteriores a 6.8.11 y 7.8.1, contiene un fallo de denegaci\u00f3n de servicio (DoS) en Timelion. Un atacante puede construir una URL que, cuando es visualizada por un usuario de Kibana, puede conllevar al proceso de Kibana a consumir grandes cantidades de CPU y dejar de responder"}], "id": "CVE-2020-7016", "lastModified": "2022-11-16T03:54:40.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-27T18:15:14.170", "references": [{"source": "bressers@elastic.co", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security/"}, {"source": "bressers@elastic.co", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-185"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"bugzilla": {"description": "kibana: DoS in Timelion", "id": "1865759", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865759"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.", "A flaw was found in kibana\u2019s Timelion component. This flaw allows an attacker to construct a URL that can lead to the kibana process consuming large amounts of CPU and becoming unresponsive when viewed by a kibana user. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-7016", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "impact": "low", "package_name": "openshift4/ose-logging-kibana6", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-07-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7016\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7016\nhttps://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786\nhttps://www.elastic.co/community/security/"], "statement": "In Red Hat OpenShift Container Platform (RHOCP), the affected kibana component is behind OpenShift OAuth authentication. This restricts access to the vulnerable Timelion kibana component to authenticated users only, therefore the impact is Low.\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the Timelion tool is used, but due to the code changing to the container first content, the kibana package is marked as wontfix. This may be fixed in the future.", "threat_severity": "Low", "upstream_fix": "kibana 7.8.1, kibana 6.8.11"}