cbcvebase.
CVE-2020-7012
published 2020-06-03

CVE-2020-7012: Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
18.21%
96.8th percentile
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Affected

3 ranges
VendorProductVersion rangeFixed in
elastickibana
elastickibana6.7.0 – 6.8.8
elastickibana7.0.0 – 7.6.2

Detection & IOCsextracted from sources · hover to see the quote

commandconstructor.prototype.sourceURL
  • Monitor for writes to the Kibana index (.kibana_1) that set or modify 'constructor.prototype.sourceURL', which is the prototype pollution payload property used to achieve RCE.
  • Alert on unexpected Kibana process restarts or crashes, especially following writes to the Kibana index, as the payload only executes after Kibana restarts or telemetry collection occurs.
  • Detect exploitation attempts via both direct Elasticsearch writes and Kibana-proxied queries to the Upgrade Assistant endpoint, as both paths can introduce the polluted prototype.
  • Scope detection to Kibana versions 6.7.0–6.8.8 and 7.0.0–7.6.2; versions outside this range or Kibana 5.6 (as shipped by Red Hat) are not affected.
  • ·Exploitation requires an authenticated attacker with write privileges to the Kibana index; unauthenticated or low-privilege users cannot trigger this vulnerability.
  • ·The Upgrade Assistant is part of the X-Pack paid add-on; deployments without X-Pack are not exposed to this attack surface.
  • ·The payload does not execute immediately upon injection; execution is deferred until Kibana is restarted or the telemetry collector runs (timing unknown), complicating real-time detection.
  • ·Post-exploitation cleanup requires deletion of the .kibana_1 index; absence of this index after an incident may indicate successful exploitation and cleanup by an attacker.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.