elasticsearch kibana CVE-2020-7012 in Elasticsearch and Elastic Products
Published on June 3, 2020

product logo product logo
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

NVD

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2020-7012 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2020-7012

stack.watch emails you whenever new vulnerabilities are published in Elasticsearch Kibana or Elastic Kibana. Just hit a watch button to start following.

Elasticsearch Kibana
 
Elastic Kibana
 

Affected Versions

Elastic Kibana Version 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 is affected by CVE-2020-7012

Exploit Probability

EPSS
73.44%
Percentile
98.78%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.