BIT-elk-2024-43710

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/elk/BIT-elk-2024-43710.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-elk-2024-43710
Aliases
Published
2025-01-27T07:09:48.425Z
Modified
2025-01-27T08:59:01.127679Z
Summary
[none]
Details

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

Database specific
{
    "cpes": [
        "cpe:2.3:a:elasticsearch:kibana:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / elk

Package

Name
elk
Purl
pkg:bitnami/elk

Severity

  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
8.7.0
Fixed
8.15.0