CVE-2024-43707

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Elastic Kibana versions 8.0.0 through 8.15.0

Description An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. Over 351K services are found to be potentially affected, with 202K+ results found on ZoomEye.

Recommendations For Elastic Kibana versions 8.0.0 through 8.15.0, upgrade to version 8.15.0+ immediately to safeguard your data. As a temporary workaround, consider restricting access to Elastic Agent policies to minimize the risk of exploitation. Avoid using the Elastic Agent policies in the affected Kibana instances until the issue is resolved.

Fix

Improper Access Control

Incorrect Privilege Assignment

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-266CWE-200

Related Identifiers

BDU:2025-00896

BIT-ELK-2024-43707

BIT-KIBANA-2024-43707

CVE-2024-43707

Affected Products

Kibana

CVE-2024-43707

Weakness Enumeration

Related Identifiers

Affected Products

References · 23