Kibana regular expression denial of service flaw (ESA-2020-09)
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
Affected Versions
All versions before 7.8.1 and 6.8.11
Solutions and Mitigations
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
CVSSv3: 4.8 - AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
CVE ID: CVE-2020-7016
Kibana cross site scripting (XSS) issue (ESA-2020-10)
The region map visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.
Affected Versions
All versions of Kibana are affected by this flaw
Solutions and Mitigations
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.
Users running version 6.7.0 or later have a reduced risk from this XSS vulnerability when Kibana is configured to use the default Content Security Policy with a modern browser. While the CSP prevents XSS, it does not mitigate the underlying HTML injection vulnerability.
CVSSv3: 6.7 - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CVE ID: CVE-2020-7017