CVE-2024-37285 (GCVE-0-2024-37285)
Vulnerability from cvelistv5
Published
2024-11-14 16:49
Modified
2024-11-14 18:48
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
References
bressers@elastic.cohttps://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119
Impacted products
Vendor Product Version
Elastic Kibana Version: 8.10.0    8.15.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "kibana",
                  vendor: "elastic",
                  versions: [
                     {
                        lessThanOrEqual: "8.15.0",
                        status: "affected",
                        version: "8.10.0",
                        versionType: "semver",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-37285",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-14T18:46:46.588026Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-14T18:48:27.837Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Kibana",
               vendor: "Elastic",
               versions: [
                  {
                     lessThanOrEqual: "8.15.0",
                     status: "affected",
                     version: "8.10.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         datePublic: "2024-09-05T15:42:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv\">Elasticsearch indices privileges</a>&nbsp;and <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html\">Kibana privileges</a>&nbsp;assigned to them.<br><br></p><p>The following Elasticsearch indices permissions are required</p><ul><li><code>write</code>&nbsp;privilege on the system indices <code>.kibana_ingest*</code></li><li>The <code>allow_restricted_indices</code>&nbsp;flag is set to <code>true</code></li></ul><p>Any of the following Kibana privileges are additionally required</p><ul><li>Under <code>Fleet</code>&nbsp;the <code>All</code>&nbsp;privilege is granted</li><li>Under <code>Integration</code>&nbsp;the <code>Read</code>&nbsp;or <code>All</code>&nbsp;privilege is granted</li><li>Access to the <code>fleet-setup</code>&nbsp;privilege is gained through the Fleet Server’s service account token</li></ul><p></p><br>",
                  },
               ],
               value: "A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific  Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and  Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them.\n\n\n\nThe following Elasticsearch indices permissions are required\n\n  *  write privilege on the system indices .kibana_ingest*\n  *  The allow_restricted_indices flag is set to true\n\n\nAny of the following Kibana privileges are additionally required\n\n  *  Under Fleet the All privilege is granted\n  *  Under Integration the Read or All privilege is granted\n  *  Access to the fleet-setup privilege is gained through the Fleet Server’s service account token",
            },
         ],
         impacts: [
            {
               capecId: "CAPEC-253",
               descriptions: [
                  {
                     lang: "en",
                     value: "CAPEC-253 Remote Code Inclusion",
                  },
               ],
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.1,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "HIGH",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-502",
                     description: "CWE-502 Deserialization of Untrusted Data",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-14T16:54:35.562Z",
            orgId: "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
            shortName: "elastic",
         },
         references: [
            {
               url: "https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Kibana arbitrary code execution via YAML deserialization",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
      assignerShortName: "elastic",
      cveId: "CVE-2024-37285",
      datePublished: "2024-11-14T16:49:16.594Z",
      dateReserved: "2024-06-05T14:21:14.942Z",
      dateUpdated: "2024-11-14T18:48:27.837Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific  Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv \\u00a0and  Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html \\u00a0assigned to them.\\n\\n\\n\\nThe following Elasticsearch indices permissions are required\\n\\n  *  write\\u00a0privilege on the system indices .kibana_ingest*\\n  *  The allow_restricted_indices\\u00a0flag is set to true\\n\\n\\nAny of the following Kibana privileges are additionally required\\n\\n  *  Under Fleet\\u00a0the All\\u00a0privilege is granted\\n  *  Under Integration\\u00a0the Read\\u00a0or All\\u00a0privilege is granted\\n  *  Access to the fleet-setup\\u00a0privilege is gained through the Fleet Server\\u2019s service account token\"}, {\"lang\": \"es\", \"value\": \"Un problema de deserializaci\\u00f3n en Kibana puede provocar la ejecuci\\u00f3n de c\\u00f3digo arbitrario cuando Kibana intenta analizar un documento YAML que contiene un payload manipulado. Un ataque exitoso requiere que un usuario malintencionado tenga una combinaci\\u00f3n de privilegios espec\\u00edficos de \\u00edndices de Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv y privilegios de Kibana https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html asignados a ellos. Se requieren los siguientes permisos de \\u00edndices de Elasticsearch * privilegio de escritura en los \\u00edndices del sistema .kibana_ingest* * El indicador allow_restricted_indices est\\u00e1 configurado en verdadero Cualquiera de los siguientes privilegios de Kibana tambi\\u00e9n se requiere * En Fleet, se otorga el privilegio All * En Integration, se otorga el privilegio Read o All * El acceso al privilegio de configuraci\\u00f3n de la flota se obtiene a trav\\u00e9s del token de cuenta de servicio del servidor Fleet\"}]",
         id: "CVE-2024-37285",
         lastModified: "2024-11-15T13:58:08.913",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"bressers@elastic.co\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 6.0}]}",
         published: "2024-11-14T17:15:06.457",
         references: "[{\"url\": \"https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119\", \"source\": \"bressers@elastic.co\"}]",
         sourceIdentifier: "bressers@elastic.co",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"bressers@elastic.co\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-37285\",\"sourceIdentifier\":\"bressers@elastic.co\",\"published\":\"2024-11-14T17:15:06.457\",\"lastModified\":\"2024-11-15T13:58:08.913\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific  Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and  Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them.\\n\\n\\n\\nThe following Elasticsearch indices permissions are required\\n\\n  *  write privilege on the system indices .kibana_ingest*\\n  *  The allow_restricted_indices flag is set to true\\n\\n\\nAny of the following Kibana privileges are additionally required\\n\\n  *  Under Fleet the All privilege is granted\\n  *  Under Integration the Read or All privilege is granted\\n  *  Access to the fleet-setup privilege is gained through the Fleet Server’s service account token\"},{\"lang\":\"es\",\"value\":\"Un problema de deserialización en Kibana puede provocar la ejecución de código arbitrario cuando Kibana intenta analizar un documento YAML que contiene un payload manipulado. Un ataque exitoso requiere que un usuario malintencionado tenga una combinación de privilegios específicos de índices de Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv y privilegios de Kibana https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html asignados a ellos. Se requieren los siguientes permisos de índices de Elasticsearch * privilegio de escritura en los índices del sistema .kibana_ingest* * El indicador allow_restricted_indices está configurado en verdadero Cualquiera de los siguientes privilegios de Kibana también se requiere * En Fleet, se otorga el privilegio All * En Integration, se otorga el privilegio Read o All * El acceso al privilegio de configuración de la flota se obtiene a través del token de cuenta de servicio del servidor Fleet\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"bressers@elastic.co\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"bressers@elastic.co\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119\",\"source\":\"bressers@elastic.co\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37285\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-14T18:46:46.588026Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:elastic:kibana:-:*:*:*:*:*:*:*\"], \"vendor\": \"elastic\", \"product\": \"kibana\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.10.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.15.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-14T18:48:20.126Z\"}}], \"cna\": {\"title\": \"Kibana arbitrary code execution via YAML deserialization\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-253\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-253 Remote Code Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Elastic\", \"product\": \"Kibana\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.10.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.15.0\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-09-05T15:42:00.000Z\", \"references\": [{\"url\": \"https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific  Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv \\u00a0and  Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html \\u00a0assigned to them.\\n\\n\\n\\nThe following Elasticsearch indices permissions are required\\n\\n  *  write\\u00a0privilege on the system indices .kibana_ingest*\\n  *  The allow_restricted_indices\\u00a0flag is set to true\\n\\n\\nAny of the following Kibana privileges are additionally required\\n\\n  *  Under Fleet\\u00a0the All\\u00a0privilege is granted\\n  *  Under Integration\\u00a0the Read\\u00a0or All\\u00a0privilege is granted\\n  *  Access to the fleet-setup\\u00a0privilege is gained through the Fleet Server\\u2019s service account token\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific <a target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv\\\">Elasticsearch indices privileges</a>&nbsp;and <a target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html\\\">Kibana privileges</a>&nbsp;assigned to them.<br><br></p><p>The following Elasticsearch indices permissions are required</p><ul><li><code>write</code>&nbsp;privilege on the system indices <code>.kibana_ingest*</code></li><li>The <code>allow_restricted_indices</code>&nbsp;flag is set to <code>true</code></li></ul><p>Any of the following Kibana privileges are additionally required</p><ul><li>Under <code>Fleet</code>&nbsp;the <code>All</code>&nbsp;privilege is granted</li><li>Under <code>Integration</code>&nbsp;the <code>Read</code>&nbsp;or <code>All</code>&nbsp;privilege is granted</li><li>Access to the <code>fleet-setup</code>&nbsp;privilege is gained through the Fleet Server\\u2019s service account token</li></ul><p></p><br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"shortName\": \"elastic\", \"dateUpdated\": \"2024-11-14T16:54:35.562Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-37285\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-14T18:48:27.837Z\", \"dateReserved\": \"2024-06-05T14:21:14.942Z\", \"assignerOrgId\": \"271b6943-45a9-4f3a-ab4e-976f3fa05b5a\", \"datePublished\": \"2024-11-14T16:49:16.594Z\", \"assignerShortName\": \"elastic\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.