cve-2019-7618
Vulnerability from cvelistv5
Published
2019-10-01 17:52
Modified
2024-08-04 20:54
Severity ?
Summary
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
References
bressers@elastic.cohttps://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831Release Notes, Vendor Advisory
bressers@elastic.cohttps://staging-website.elastic.co/community/securityPermissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://staging-website.elastic.co/community/securityPermissions Required, Vendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:54:28.312Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://staging-website.elastic.co/community/security"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Elastic Code",
          "vendor": "Elastic",
          "versions": [
            {
              "status": "affected",
              "version": "7.3.0, 7.3.1, and 7.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-538",
              "description": "CWE-538: File and Directory Information Exposure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-01T17:52:42",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://staging-website.elastic.co/community/security"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2019-7618",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Elastic Code",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "7.3.0, 7.3.1, and 7.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Elastic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-538: File and Directory Information Exposure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://staging-website.elastic.co/community/security",
              "refsource": "MISC",
              "url": "https://staging-website.elastic.co/community/security"
            },
            {
              "name": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831",
              "refsource": "MISC",
              "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2019-7618",
    "datePublished": "2019-10-01T17:52:42",
    "dateReserved": "2019-02-07T00:00:00",
    "dateUpdated": "2024-08-04T20:54:28.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-7618\",\"sourceIdentifier\":\"bressers@elastic.co\",\"published\":\"2019-10-01T18:15:13.987\",\"lastModified\":\"2024-11-21T04:48:24.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un fallo de divulgaci\u00f3n de archivo local en Elastic Code versiones 7.3.0, 7.3.1 y 7.3.2. Si un repositorio de c\u00f3digo malicioso es importado hacia Code, es posible leer archivos arbitrarios del sistema de archivos local de la instancia Kibana ejecutando Code con el permiso del usuario system de Kibana.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:N/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"bressers@elastic.co\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-538\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:7.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2F9EBE3-54B9-410E-9B22-6A4671735765\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:7.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F08B1343-B6DB-435B-8913-9EBAC66B5D00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:kibana:7.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D73DD3D7-F0E2-4BA3-8BD9-637E872CA121\"}]}]}],\"references\":[{\"url\":\"https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831\",\"source\":\"bressers@elastic.co\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://staging-website.elastic.co/community/security\",\"source\":\"bressers@elastic.co\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://staging-website.elastic.co/community/security\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.