CVE-2024-37285
Vulnerability from cvelistv5
Published
2024-11-14 16:49
Modified
2024-11-14 18:48
Severity ?
EPSS score ?
Summary
Kibana arbitrary code execution via YAML deserialization
References
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "kibana", "vendor": "elastic", "versions": [ { "lessThanOrEqual": "8.15.0", "status": "affected", "version": "8.10.0", "versionType": "semver" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-37285", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-14T18:46:46.588026Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-14T18:48:27.837Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Kibana", "vendor": "Elastic", "versions": [ { "lessThanOrEqual": "8.15.0", "status": "affected", "version": "8.10.0", "versionType": "semver" } ] } ], "datePublic": "2024-09-05T15:42:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eA deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv\"\u003eElasticsearch indices privileges\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html\"\u003eKibana privileges\u003c/a\u003e\u0026nbsp;assigned to them.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe following Elasticsearch indices permissions are required\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ccode\u003ewrite\u003c/code\u003e\u0026nbsp;privilege on the system indices \u003ccode\u003e.kibana_ingest*\u003c/code\u003e\u003c/li\u003e\u003cli\u003eThe \u003ccode\u003eallow_restricted_indices\u003c/code\u003e\u0026nbsp;flag is set to \u003ccode\u003etrue\u003c/code\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAny of the following Kibana privileges are additionally required\u003c/p\u003e\u003cul\u003e\u003cli\u003eUnder \u003ccode\u003eFleet\u003c/code\u003e\u0026nbsp;the \u003ccode\u003eAll\u003c/code\u003e\u0026nbsp;privilege is granted\u003c/li\u003e\u003cli\u003eUnder \u003ccode\u003eIntegration\u003c/code\u003e\u0026nbsp;the \u003ccode\u003eRead\u003c/code\u003e\u0026nbsp;or \u003ccode\u003eAll\u003c/code\u003e\u0026nbsp;privilege is granted\u003c/li\u003e\u003cli\u003eAccess to the \u003ccode\u003efleet-setup\u003c/code\u003e\u0026nbsp;privilege is gained through the Fleet Server\u2019s service account token\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e" } ], "value": "A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv \u00a0and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html \u00a0assigned to them.\n\n\n\nThe following Elasticsearch indices permissions are required\n\n * write\u00a0privilege on the system indices .kibana_ingest*\n * The allow_restricted_indices\u00a0flag is set to true\n\n\nAny of the following Kibana privileges are additionally required\n\n * Under Fleet\u00a0the All\u00a0privilege is granted\n * Under Integration\u00a0the Read\u00a0or All\u00a0privilege is granted\n * Access to the fleet-setup\u00a0privilege is gained through the Fleet Server\u2019s service account token" } ], "impacts": [ { "capecId": "CAPEC-253", "descriptions": [ { "lang": "en", "value": "CAPEC-253 Remote Code Inclusion" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-14T16:54:35.562Z", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic" }, "references": [ { "url": "https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119" } ], "source": { "discovery": "UNKNOWN" }, "title": "Kibana arbitrary code execution via YAML deserialization", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2024-37285", "datePublished": "2024-11-14T16:49:16.594Z", "dateReserved": "2024-06-05T14:21:14.942Z", "dateUpdated": "2024-11-14T18:48:27.837Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-37285\",\"sourceIdentifier\":\"bressers@elastic.co\",\"published\":\"2024-11-14T17:15:06.457\",\"lastModified\":\"2024-11-15T13:58:08.913\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv \u00a0and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html \u00a0assigned to them.\\n\\n\\n\\nThe following Elasticsearch indices permissions are required\\n\\n * write\u00a0privilege on the system indices .kibana_ingest*\\n * The allow_restricted_indices\u00a0flag is set to true\\n\\n\\nAny of the following Kibana privileges are additionally required\\n\\n * Under Fleet\u00a0the All\u00a0privilege is granted\\n * Under Integration\u00a0the Read\u00a0or All\u00a0privilege is granted\\n * Access to the fleet-setup\u00a0privilege is gained through the Fleet Server\u2019s service account token\"},{\"lang\":\"es\",\"value\":\"Un problema de deserializaci\u00f3n en Kibana puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario cuando Kibana intenta analizar un documento YAML que contiene un payload manipulado. Un ataque exitoso requiere que un usuario malintencionado tenga una combinaci\u00f3n de privilegios espec\u00edficos de \u00edndices de Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv y privilegios de Kibana https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html asignados a ellos. Se requieren los siguientes permisos de \u00edndices de Elasticsearch * privilegio de escritura en los \u00edndices del sistema .kibana_ingest* * El indicador allow_restricted_indices est\u00e1 configurado en verdadero Cualquiera de los siguientes privilegios de Kibana tambi\u00e9n se requiere * En Fleet, se otorga el privilegio All * En Integration, se otorga el privilegio Read o All * El acceso al privilegio de configuraci\u00f3n de la flota se obtiene a trav\u00e9s del token de cuenta de servicio del servidor Fleet\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"bressers@elastic.co\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"bressers@elastic.co\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119\",\"source\":\"bressers@elastic.co\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.