// For flags

CVE-2020-7012

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Kibana versiones 6.7.0 hasta 6.8.8 y 7.0.0 hasta 7.6.2, contienen un fallo contaminación de prototipo en el Upgrade Assistant. Un atacante autenticado con privilegios para escribir en el índice de Kibana podría insertar datos que harían que Kibana ejecutara código arbitrario. Esto podría conllevar posiblemente a que un atacante ejecute código con los permisos del proceso de Kibana en el sistema host.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-14 CVE Reserved
  • 2020-06-03 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.elastic.co/community/security 2020-08-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Elastic
Search vendor "Elastic"
 Kibana
Search vendor "Elastic" for product "Kibana"
 >= 6.7.0 <= 6.8.8
Search vendor "Elastic" for product "Kibana" and version " >= 6.7.0 <= 6.8.8"
-
Affected
Elastic
Search vendor "Elastic"
 Kibana
Search vendor "Elastic" for product "Kibana"
 >= 7.0.0 <= 7.6.2
Search vendor "Elastic" for product "Kibana" and version " >= 7.0.0 <= 7.6.2"
-
Affected