CVE-2024-43710: Kibana server-side request forgery
First published: Thu Jan 23 2025(Updated: )
A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-43710?
CVE-2024-43710 has been classified as a server-side request forgery (SSRF) vulnerability that could lead to unauthorized access to internal endpoints.
How do I fix CVE-2024-43710?
To mitigate CVE-2024-43710, users should upgrade to the latest version of Elastic Kibana that addresses this vulnerability.
What versions of Kibana are affected by CVE-2024-43710?
CVE-2024-43710 affects various versions of Elastic Kibana prior to the security update that resolves the issue.
What type of requests can be sent using CVE-2024-43710?
CVE-2024-43710 allows the sending of requests to internal endpoints that are accessible over HTTPS and return JSON.
Is it possible to exploit CVE-2024-43710 remotely?
Yes, CVE-2024-43710 can potentially be exploited remotely due to the nature of server-side request forgery vulnerabilities.
- agent/title
- agent/weakness
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/elastic
- canonical/elastic