CVE-2020-7013

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-7013

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7013.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-7013

Published

2020-06-03T18:15:22.963Z

Modified

2026-02-12T00:32:39.415745Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

References

https://www.elastic.co/community/security/

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

be2c7bf0f8427387e84c68ad8d2d9abbc60a64da

Introduced

b7e28a7232616c7a21bc879a535d801b8553ba77

Fixed

81a1e9eda8e6183f5237786246f6dced26a10eaf

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7013.json"

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "45579179051866194117804149996246200604",
                "119848415071729397178158796374652642141",
                "268702904613209701760138481469986520807",
                "233930455696044821969899735660498823702",
                "163890961310343880460845341215056522543",
                "121781746028062861453040104154954910898",
                "75515967174573794578045725915657184459",
                "242265910704563585451341748271450313521"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/ccr/src/test/java/org/elasticsearch/xpack/CcrIntegTestCase.java"
        },
        "signature_type": "Line",
        "id": "CVE-2020-7013-46d0a062",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "224199583765534546450572128505726274014",
                "323492397107490477775877295489877472566",
                "277068975507872740214400598145450029935",
                "254138046711047538847606693125357275743",
                "206429083783286640014169218886022315638",
                "296895094182996624815457633142985022277",
                "253279550837581745573429071920825148529"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/ccr/src/test/java/org/elasticsearch/xpack/ccr/RestartIndexFollowingIT.java"
        },
        "signature_type": "Line",
        "id": "CVE-2020-7013-5fe7f71b",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "86059810673072489087777826235705304512",
                "113362693214779684611162611810226256967",
                "43697961644316964677784293423168194536",
                "41532001999738243291277523044268874425",
                "194352752720767127991353649794071543700",
                "26922355690411780912727066379262132323",
                "162660476306345741350731046397728999646",
                "42609840016367210804582075884021165578"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "test/framework/src/main/java/org/elasticsearch/test/InternalSettingsPlugin.java"
        },
        "signature_type": "Line",
        "id": "CVE-2020-7013-631a6c07",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "174040409401571725204720260102635061022",
                "16187474032464237735691424023377353787",
                "157325855902521259613194453628253345659",
                "125845012298588357729943994413230245880",
                "179070855604691138673792169908461853070",
                "244686288359459323752717883005506982217",
                "16206305364527329158402936318262269038",
                "22120711428700509694655039935643773956",
                "162142159011466565104666201381501521296",
                "208975523842519538430290185568227031035",
                "20125575360198518227008405448322384310",
                "7851914447724541572199970193489442946",
                "232412995254253867961617868910148443499",
                "277652103959366784875739196726273869212",
                "260602594023334785138478392292505235222",
                "322400565104534255612132955586742153456",
                "298859253154070104971610918767332865517",
                "71632434484998290779628851355352485598",
                "91838529997363223439127131957701479124",
                "289813517270842779401675180076750458091",
                "202038932232099387720964798180556002825",
                "39906778269268557586257234953299656025",
                "140668071508320775811985736868996745913",
                "198576572049694124173774252374230243369"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "server/src/main/java/org/elasticsearch/transport/RemoteClusterConnection.java"
        },
        "signature_type": "Line",
        "id": "CVE-2020-7013-763aad9c",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "200263057186406267777659938741382370028",
            "length": 743.0
        },
        "signature_version": "v1",
        "target": {
            "file": "server/src/main/java/org/elasticsearch/transport/RemoteClusterConnection.java",
            "function": "RemoteClusterConnection"
        },
        "signature_type": "Function",
        "id": "CVE-2020-7013-cdc38740",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "208231173717578920429253189869714737202",
                "88008018763437278132911345558306380065",
                "44084908447052032805700862068250436233",
                "134469572131951082585105400923879610884"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/ccr/src/test/java/org/elasticsearch/xpack/ccr/CcrRetentionLeaseIT.java"
        },
        "signature_type": "Line",
        "id": "CVE-2020-7013-d16234d1",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "221701719401787106419630928689580688352",
            "length": 188.0
        },
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/ccr/src/test/java/org/elasticsearch/xpack/ccr/CcrRetentionLeaseIT.java",
            "function": "followerClusterSettings"
        },
        "signature_type": "Function",
        "id": "CVE-2020-7013-ddf385fa",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    },
    {
        "digest": {
            "function_hash": "302264429194571615229087144455490955214",
            "length": 338.0
        },
        "signature_version": "v1",
        "target": {
            "file": "test/framework/src/main/java/org/elasticsearch/test/InternalSettingsPlugin.java",
            "function": "getSettings"
        },
        "signature_type": "Function",
        "id": "CVE-2020-7013-f452c8f3",
        "source": "https://github.com/elastic/elasticsearch/commit/be2c7bf0f8427387e84c68ad8d2d9abbc60a64da",
        "deprecated": false
    }
]