CVE-2019-7616
published 2019-07-30CVE-2019-7616: Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with…
PriorityP432medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
2.14%
79.7th percentile
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | < 6.8.2 | 6.8.2 |
| elastic | kibana | — | — |
| elastic | kibana | >= 7.0.0 < 7.2.1 | 7.2.1 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjvv-mvp7-x62q: Kibana versions before 6
ghsa_unreviewed·2022-05-24
CVE-2019-7616 [MEDIUM] CWE-918 GHSA-cjvv-mvp7-x62q: Kibana versions before 6
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Red Hat
kibana: Server side request forgery in the graphite integration for Timelion visualizer
vendor_redhat·2019-07-31·CVSS 4.9
CVE-2019-7616 [MEDIUM] CWE-352 kibana: Server side request forgery in the graphite integration for Timelion visualizer
kibana: Server side request forgery in the graphite integration for Timelion visualizer
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Package: kibana (Red Hat OpenShift Container Platform 3.10) - Fix deferred
Package: kibana (Red Hat OpenShift Container Platform 3.11) - Fix deferred
Package: kibana (Red Hat OpenShift Container Platform 3.4) - Out of support scope
Package: kibana (Red Hat OpenShift Container Platform 3.5) - Out of support scope
Package: ki
No detection rules found.
No public exploits indexed.
2019-07-30
Published