10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%
Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7608 CVE-2019-7609 CVE-2019-7610
Package : kibana
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-911
The package kibana before version 6.6.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.
Upgrade to 6.6.1-1.
The problems have been fixed upstream in version 6.6.1.
None.
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting
(XSS) vulnerability that could allow an attacker to obtain sensitive
information from, or perform destructive actions on behalf of, other
Kibana users.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the Timelion visualizer. An attacker with access to
the Timelion application could send a request that will attempt to
execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on
the host system.
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the security audit logger. If a Kibana instance has
the setting xpack.security.audit.enabled set to true, an attacker could
send a request that will attempt to execute javascript code. This could
possibly lead to an attacker executing arbitrary commands with
permissions of the Kibana process on the host system.
An authenticated malicious user can disclose sensitive information or
execute arbitrary code.
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7608
https://security.archlinux.org/CVE-2019-7609
https://security.archlinux.org/CVE-2019-7610
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%