CVE-2020-7012

HIGH

Elastic Kibana < 6.8.8 - Code Injection

Title source: rule

Description

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Exploits (1)

metasploit WORKING POC MANUAL

by h00die, Alex Brasetvik (alexbrasetvik) · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.elastic.co/community/security/

Scores

CVSS v3 8.8

EPSS 0.7344

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

elastic/kibana 6.7.0 - 6.8.8

Published Jun 03, 2020

Tracked Since Feb 18, 2026