1130634 – (CVE-2019-7608) VUL-0: CVE-2019-7608: kibana: Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana

Bug 1130634 (CVE-2019-7608) - VUL-0: CVE-2019-7608: kibana: Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana

Summary: VUL-0: CVE-2019-7608: kibana: Kibana versions before 5.6.15 and 6.6.1 had a c...

Status:	RESOLVED WORKSFORME

Alias:	CVE-2019-7608

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jonathan Brownell
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/227090/
Whiteboard:	CVSSv3:SUSE:CVE-2019-7608:6.1:(AV:N/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-03-27 07:19 UTC by Marcus Meissner
Modified:	2020-06-28 02:09 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-03-27 07:19:06 UTC

CVE-2019-7608

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS)
vulnerability that could allow an attacker to obtain sensitive information from
or perform destructive actions on behalf of other Kibana users.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7608
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://www.elastic.co/community/security

Comment 1 Jonathan Brownell 2019-04-04 20:52:33 UTC

Based on conversation threads with Elastic/Kibana developers (see https://discuss.elastic.co/t/need-info-regarding-kibana-xss-issue-esa-2019-01/174620), this XSS vulnerability exists within the Timelion codebase and was resolved by the github PR https://github.com/elastic/kibana/pull/28834.

Since our version of Kibana is from the older 4.x vintage, the Timelion application is not included with it and, therefore, this defect does not apply to our version of the software.