Bug 1849044 (CVE-2020-7013)

Summary: CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: kibana 7.7.0, kibana 6.8.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 20:21:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1850848, 1850850    
Bug Blocks: 1849050    

Description Michael Kaplan 2020-06-19 14:07:42 UTC
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.



Comment 1 Joshua Padman 2020-06-25 03:12:34 UTC

To mitigate this vulnerability you can set  "metrics.enabled: false" in kibana.yml

Comment 2 Joshua Padman 2020-06-25 03:25:24 UTC
https://github.com/elastic/kibana/commit/f287f702223d72e963bf7ea663b89868fec88e11 is the fix for this vulnerability.

Comment 3 Joshua Padman 2020-06-25 03:32:37 UTC
External References:


Comment 6 errata-xmlrpc 2020-10-27 16:24:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298

Comment 7 Product Security DevOps Team 2020-10-27 20:21:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):