CVE-2024-43710

MEDIUM

4.3

Descripcion

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

Detalles CVE

Puntuacion CVSS v3.14.3

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado1/23/2025

Ultima modificacion9/30/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

elastic:kibana

Debilidades (CWE)

CWE-918

Referencias

https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521(security@elastic.co)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.