What is CVE-2020-7012?

CVE-2020-7012 is a vulnerability in Elastic Kibana, classified under Code Injection. Published 2020-06-03.

Is CVE-2020-7012 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Elastic Kibana

CVE-2020-7012

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbi…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.734 (98.8th percentile) — read the EPSS interpretation.

Affected products

Elastic Kibana — versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

rapid7/metasploit-framework
J1ezds/Vulnerability-Wiki-page
Threekiii/Awesome-POC

References

www.elastic.co/community/security/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-7012?: CVE-2020-7012 is a vulnerability in Elastic Kibana, classified under Code Injection. Published 2020-06-03.
Is CVE-2020-7012 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.