CVE-2020-7016 — Incorrect Regular Expression in Elasticsearch Kibana

CWE-185 — Incorrect Regular Expression CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.5%

top 35.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elasticsearch Kibana Elastic Kibana Oracle Communications Billing AND Revenue Management +2 more

Timeline

PublishedJul 27

Latest updateMay 24

Description

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages5 packages

▶NVDelasticsearch/kibana7.0.0 — 7.8.1+1

▶CVEListV5elastic/kibanabefore 6.8.11 and 7.8.1

▶NVDoracle/peoplesoft_enterprise_peopletools8.58

▶NVDoracle/communications_billing_and_revenue_management12.0.0.3.0

▶NVDoracle/communications_cloud_native_core_network_function_cloud_native_environment1.7.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-hrj2-4hpm-cjw9: Kibana versions before 6↗2022-05-24

▶

CVEList

CVE-2020-7016: Kibana versions before 6↗2020-07-27

▶

📋Vendor Advisories

Red Hat

kibana: DoS in Timelion↗2020-07-27

▶

💬Community

Bugzilla

CVE-2020-7016 kibana: DoS in Timelion↗2020-08-04

▶