CVE-2024-43707: Kibana exposure of sensitive information to an unauthorized actor
First published: Thu Jan 23 2025(Updated: )
An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic | ||
| Elastic |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-43707?
CVE-2024-43707 has been rated as a medium severity vulnerability.
How do I fix CVE-2024-43707?
To fix CVE-2024-43707, upgrade to the latest patched version of Kibana and Elastic Agent that addresses this issue.
What types of information could be exposed due to CVE-2024-43707?
CVE-2024-43707 could expose sensitive information contained within Elastic Agent policies, which depend on the integrations enabled.
Who is affected by CVE-2024-43707?
Users of Kibana who do not have access to Fleet but can still view Elastic Agent policies are affected by CVE-2024-43707.
What versions of Elastic software are impacted by CVE-2024-43707?
CVE-2024-43707 affects multiple versions of Elastic Kibana and Elastic Agent, specifically those prior to the security update.
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/elastic
- canonical/elastic