CVE-2024-43710 MEDIUM

CVE-2024-43710: Kibana server-side request forgery

Vendor Elastic

Product Kibana

Weakness CWE-918 · SSRF

Published January 23, 2025

Last update January 23, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

Key dates

02Disclosure timeline

January 23, 2025 CVE published

January 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-43710 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2026-45331 Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature CVE-2023-40630 Extension - joomcode.com - Unauthenticated LFI/SSRF in JCDashboards component for Joomla 1.0.0-1.1.30 CVE-2024-48944 Apache Kylin: SSRF vulnerability in the diagnosis api CVE-2022-45085 Server-Side Request Forgery in Smartpower Web CVE-2024-1568 Seraphinite Accelerator <= 2.20.52 - Authenticated (Subscriber+) Server-Side Request Forgery in OnAdminApi_HtmlCheck