CVE-2020-7013

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
elastickibana
𝑥
< 6.8.9
elastickibana
7.0.0 ≤
𝑥
< 7.7.0
redhatopenshift_container_platform
3.11
redhatopenshift_container_platform
4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.elastic.co/community/security/
https://www.elastic.co/community/security/