Deserialization Flaw in Kibana by Elastic Search
CVE-2024-37285

Currently unrated

Key Information:

Vendor

Elastic
Status
Kibana
Vendor
CVE Published:
14 November 2024

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2024-37285?

A deserialization issue in Kibana allows attackers to execute arbitrary code by manipulating YAML documents. This vulnerability arises when Kibana incorrectly processes crafted payloads, necessitating specific permissions on Elasticsearch indices and within Kibana. Attackers must possess both write privilege on system indices .kibana_ingest* and the ability to manipulate restricted indices, combined with comprehensive Kibana privileges. Such an exploit poses significant risks to systems utilizing Kibana for visualization and data analysis.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

News Articles

favicon imageCybersecurityNews

Kibana Vulnerabilities Let Attackers Execute Arbitrary Code

Kibana Vulnerabilities, CVE-2024-37288 and CVE-2024-37285, allow attackers to execute arbitrary code through YAML deserialization issues.

References

https://discuss.elastic.co/t/kibana-8-15-1-security-updat...

Timeline

  • Vulnerability published

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by CybersecurityNews

JSON
.