CVE-2020-7012
published 2020-06-03CVE-2020-7012: Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
18.21%
96.8th percentile
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | kibana | — | — |
| elastic | kibana | 6.7.0 – 6.8.8 | — |
| elastic | kibana | 7.0.0 – 7.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for writes to the Kibana index (.kibana_1) that set or modify 'constructor.prototype.sourceURL', which is the prototype pollution payload property used to achieve RCE. ↗
- →Alert on unexpected Kibana process restarts or crashes, especially following writes to the Kibana index, as the payload only executes after Kibana restarts or telemetry collection occurs. ↗
- →Detect exploitation attempts via both direct Elasticsearch writes and Kibana-proxied queries to the Upgrade Assistant endpoint, as both paths can introduce the polluted prototype. ↗
- →Scope detection to Kibana versions 6.7.0–6.8.8 and 7.0.0–7.6.2; versions outside this range or Kibana 5.6 (as shipped by Red Hat) are not affected. ↗
- ·Exploitation requires an authenticated attacker with write privileges to the Kibana index; unauthenticated or low-privilege users cannot trigger this vulnerability. ↗
- ·The Upgrade Assistant is part of the X-Pack paid add-on; deployments without X-Pack are not exposed to this attack surface. ↗
- ·The payload does not execute immediately upon injection; execution is deferred until Kibana is restarted or the telemetry collector runs (timing unknown), complicating real-time detection. ↗
- ·Post-exploitation cleanup requires deletion of the .kibana_1 index; absence of this index after an incident may indicate successful exploitation and cleanup by an attacker. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xrx6-ghw2-jgjm: Kibana versions 6
ghsa_unreviewed·2022-05-24
CVE-2020-7012 [MEDIUM] GHSA-xrx6-ghw2-jgjm: Kibana versions 6
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Red Hat
kibana: Prototype pollution in the Upgrade Assistant could result in arbitrary code execution (ESA-2020-05)
vendor_redhat·2020-06-03·CVSS 8.8
CVE-2020-7012 [HIGH] CWE-94 kibana: Prototype pollution in the Upgrade Assistant could result in arbitrary code execution (ESA-2020-05)
kibana: Prototype pollution in the Upgrade Assistant could result in arbitrary code execution (ESA-2020-05)
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Statement: The vulnerable functionality was introduced in Kibana 6.7, we ship Kibana 5.6 and it has not been back ported. Additionally, it is a component of the X-Pack, paid additions for Kibana.
Package: kibana (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: kibana (Red Hat OpenShift Container Pla
No detection rules found.
2020-06-03
Published