CVE-2019-7609

10.0 CRITICAL CISA KEV - Actively Exploited
Published: March 25, 2019 Modified: November 07, 2025
View on NVD

Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
Source: security@elastic.co
Exploit Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHBA-2019:2824
Source: security@elastic.co
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2860
Source: security@elastic.co
Third Party Advisory
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Source: security@elastic.co
Vendor Advisory
https://www.elastic.co/community/security
Source: security@elastic.co
Broken Link Vendor Advisory
http://packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHBA-2019:2824
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2860
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://www.elastic.co/community/security
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7609
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

11 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
94.4%
100th percentile
Exploitation Status
Actively Exploited
Remediation due: 2022-07-10

Weaknesses (CWE)

CWE-94 CWE-94

Affected Vendors

elastic redhat

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3