FKIE_CVE-2024-37285

Vulnerability from fkie_nvd - Published: 2024-11-14 17:15 - Updated: 2025-10-01 18:36
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
References
security@elastic.cohttps://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119Patch, Vendor Advisory
Impacted products
Vendor Product Version
elastic kibana *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A43056B3-82DB-47C7-83C9-79C1E628221C",
              "versionEndIncluding": "8.15.0",
              "versionStartIncluding": "8.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific  Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv \u00a0and  Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html \u00a0assigned to them.\n\n\n\nThe following Elasticsearch indices permissions are required\n\n  *  write\u00a0privilege on the system indices .kibana_ingest*\n  *  The allow_restricted_indices\u00a0flag is set to true\n\n\nAny of the following Kibana privileges are additionally required\n\n  *  Under Fleet\u00a0the All\u00a0privilege is granted\n  *  Under Integration\u00a0the Read\u00a0or All\u00a0privilege is granted\n  *  Access to the fleet-setup\u00a0privilege is gained through the Fleet Server\u2019s service account token"
    },
    {
      "lang": "es",
      "value": "Un problema de deserializaci\u00f3n en Kibana puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario cuando Kibana intenta analizar un documento YAML que contiene un payload manipulado. Un ataque exitoso requiere que un usuario malintencionado tenga una combinaci\u00f3n de privilegios espec\u00edficos de \u00edndices de Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv y privilegios de Kibana https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html asignados a ellos. Se requieren los siguientes permisos de \u00edndices de Elasticsearch * privilegio de escritura en los \u00edndices del sistema .kibana_ingest* * El indicador allow_restricted_indices est\u00e1 configurado en verdadero Cualquiera de los siguientes privilegios de Kibana tambi\u00e9n se requiere * En Fleet, se otorga el privilegio All * En Integration, se otorga el privilegio Read o All * El acceso al privilegio de configuraci\u00f3n de la flota se obtiene a trav\u00e9s del token de cuenta de servicio del servidor Fleet"
    }
  ],
  "id": "CVE-2024-37285",
  "lastModified": "2025-10-01T18:36:35.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security@elastic.co",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-14T17:15:06.457",
  "references": [
    {
      "source": "security@elastic.co",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119"
    }
  ],
  "sourceIdentifier": "security@elastic.co",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@elastic.co",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.