Unrated severityCISA KEVNVD Advisory· Published Mar 25, 2019· Updated Oct 21, 2025

CVE-2019-7609

Description

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected products

Elastic/Kibanav5
Range: before 5.6.15 and 6.6.1

Patches

c0c81857d435

Fix Std. Deviation aggregation crashes TSVB (#30810)

https://github.com/elastic/kibanaAlexey AntonovFeb 12, 2019via osv

commit

1 file changed · +1 −1

src/legacy/core_plugins/metrics/public/components/aggs/std_deviation.js+1 −1 modified

@@ -51,7 +51,7 @@ const StandardDeviationAggUi = props => {
       value: 'upper'
     },
     {
-      дabel: intl.formatMessage({ id: 'tsvb.stdDeviation.modeOptions.lowerBoundLabel', defaultMessage: 'Lower Bound' }),
+      label: intl.formatMessage({ id: 'tsvb.stdDeviation.modeOptions.lowerBoundLabel', defaultMessage: 'Lower Bound' }),
       value: 'lower'
     },
   ];

e4f1e8f824c4

[5.6] Bump node to 6.16.0 (#27921)

https://github.com/elastic/kibanaJonathan BudzenskiFeb 5, 2019via osv

commit

5 files changed · +7 −6

bin/kibana+1 −1 modified

@@ -21,4 +21,4 @@ if [ ! -x "$NODE" ]; then
   exit 1
 fi
 
-exec "${NODE}" $NODE_OPTIONS --no-warnings "${DIR}/src/cli" ${@}
+exec "${NODE}" --no-warnings --max-http-header-size=65536 $NODE_OPTIONS "${DIR}/src/cli" ${@}

bin/kibana.bat+1 −1 modified

@@ -22,7 +22,7 @@ If Not Exist "%NODE%" (
 )
 
 TITLE Kibana Server
-"%NODE%" %NODE_OPTIONS% --no-warnings "%DIR%\src\cli" %*
+"%NODE%" --no-warnings --max-http-header-size=65536 %NODE_OPTIONS% "%DIR%\src\cli" %*
 
 :finally

.node-version+1 −1 modified
```
@@ -1 +1 @@
-6.15.1
+6.16.0
```

package.json+1 −1 modified

@@ -280,7 +280,7 @@
     "xmlbuilder": "9.0.4"
   },
   "engines": {
-    "node": "6.15.1",
+    "node": "6.16.0",
     "npm": "3.10.10"
   }
 }

test/functional/apps/visualize/_region_map.js+3 −2 modified

@@ -3,8 +3,9 @@ import expect from 'expect.js';
 
 export default function ({ getService, getPageObjects }) {
 
-
-  describe('visualize app', function describeIndexTests() {
+  // The list of vector maps depends on an external manifest
+  // USA States is not selectable if the service is not reachable
+  describe.skip('visualize app', function describeIndexTests() {
 
     const fromTime = '2015-09-19 06:31:44.000';
     const toTime = '2015-09-23 18:31:44.000';

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHBA-2019:2824mitrevendor-advisory
access.redhat.com/errata/RHSA-2019:2860mitrevendor-advisory
packetstormsecurity.com/files/174569/Kibana-Timelion-Prototype-Pollution-Remote-Code-Execution.htmlmitre
discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077mitre
www.elastic.co/community/securitymitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.076
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000