CVE-2020-7013

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Published: Jun 3, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-7013
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
elastic / kibana	7.0.0	7.7.0
elastic / kibana	-	6.8.9
redhat / openshift_container_platform	3.11	3.11.x
redhat / openshift_container_platform	4.0	4.0.x

https://www.elastic.co/community/security/

Vulnerability Database

289,689

CVE-2020-7013