Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734154 (CVE-2020-7016, CVE-2020-7017) - <www-apps/kibana-bin-7.8.1: Multiple vulnerabilities (CVE-2020-{7016,7017})
Summary: <www-apps/kibana-bin-7.8.1: Multiple vulnerabilities (CVE-2020-{7016,7017})
Alias: CVE-2020-7016, CVE-2020-7017
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Reported: 2020-07-27 21:36 UTC by John Helmert III (ajak)
Modified: 2020-07-30 21:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-07-27 21:36:39 UTC

Kibana regular expression denial of service flaw (ESA-2020-09)

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

Affected Versions
All versions before 7.8.1 and 6.8.11

Solutions and Mitigations
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.


The region map visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

Affected Versions
All versions of Kibana are affected by this flaw

Solutions and Mitigations
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.

Users running version 6.7.0 or later have a reduced risk from this XSS vulnerability when Kibana is configured to use the default Content Security Policy with a modern browser. While the CSP prevents XSS, it does not mitigate the underlying HTML injection vulnerability.
Comment 1 John Helmert III (ajak) 2020-07-27 21:38:09 UTC
Maintainers, please bump.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-30 18:17:09 UTC
The bug has been referenced in the following commit(s):

commit 3c435545dd3133785849ab04840fac5f8604ae7a
Author:     Tomáš Mózes <>
AuthorDate: 2020-07-29 19:40:34 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-07-30 18:16:49 +0000

    www-apps/kibana-bin: bump to 7.8.1
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Thomas Deutschmann <>

 www-apps/kibana-bin/Manifest                |  2 +
 www-apps/kibana-bin/kibana-bin-7.8.1.ebuild | 90 +++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+)
Comment 3 John Helmert III (ajak) 2020-07-30 18:21:44 UTC
Thanks. Please cleanup.
Comment 4 Tomáš Mózes 2020-07-30 19:32:30 UTC
Tree clean
Comment 5 Sam James gentoo-dev Security 2020-07-30 21:21:30 UTC
(In reply to Tomáš Mózes from comment #4)
> Tree clean