CVE-2024-43710

Name of the Vulnerable Software and Affected Versions Kibana (affected versions not specified)

Description A server side request forgery issue was identified in Kibana where the "/api/fleet/health check" API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

Recommendations As a temporary workaround, consider restricting access to the "/api/fleet/health check" API endpoint until a patch is available. Restrict access to internal endpoints available over HTTPS that return JSON to minimize the risk of exploitation. Avoid using the "/api/fleet/health check" API endpoint with users who have read access to Fleet until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.