Unrated severityNVD Advisory· Published Nov 14, 2024· Updated Nov 14, 2024
Kibana arbitrary code execution via YAML deserialization
CVE-2024-37285
Description
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them.
The following Elasticsearch indices permissions are required
- write privilege on the system indices .kibana_ingest*
- The allow_restricted_indices flag is set to true
Any of the following Kibana privileges are additionally required
- Under Fleet the All privilege is granted
- Under Integration the Read or All privilege is granted
- Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- osv-coords2 versions
>= 8.10.0, < 8.15.1+ 1 more
- (no CPE)range: >= 8.10.0, < 8.15.1
- (no CPE)range: >= 8.10.0, < 8.15.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.