Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system. References: https://www.elastic.co/community/security/
Statement: To mitigate this vulnerability you can set "metrics.enabled: false" in kibana.yml
https://github.com/elastic/kibana/commit/f287f702223d72e963bf7ea663b89868fec88e11 is the fix for this vulnerability.
External References: https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7013