CVE-2024-37285Deserialization of Untrusted Data in Kibana

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.2HIGHNVD
CNA9.1
EPSS
1.1%
top 22.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Kibana
Timeline
PublishedNov 14

Description

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The followin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5elastic/kibana8.10.08.15.0
NVDelastic/kibana8.10.08.15.0

Patches

Patch: discuss.elastic.co

🔴Vulnerability Details

2
CVEList
Kibana arbitrary code execution via YAML deserialization2024-11-14
GHSA
GHSA-p9rc-m4r5-4rpr: A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload2024-11-14
CVE-2024-37285 — Deserialization of Untrusted Data | cvebase