CVE-2024-37288

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-37288

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37288.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-37288

Aliases

Published

2024-09-09T09:15:02Z

Modified

2025-02-19T03:50:11.587031Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .

References

https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

1a77947f34deddb41af25e6f0ddb8e830159c179

Type: GIT
Repo: https://github.com/elastic/kibana
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8aa0b59da12c996e3048d8875446667ee6e15c7f

Affected versions

7.*

7.0-known-good

Other

deploy@1693594780

deploy@1693609987

deploy@1693853982

deploy@1693860790

deploy@1693866333

deploy@1694087994

deploy@1694162455

deploy@1694506029

deploy@1694683198

deploy@1695286747

deploy@1696328885

deploy@1696415195

deploy@1696508231

deploy@1696618725

deploy@1696873111

deploy@1697028216

deploy@1697232175

deploy@1697564183

deploy@1698046713

deploy@1698657637

deploy@1699260155

deploy@1699865290

deploy@1700491293

deploy@1701160888

deploy@1701687168

deploy@1702284899

deploy@1702367069

deploy@1702879551

deploy@1702903357

deploy@1703484304

deploy@1704089101

deploy@1704693922

deploy@1705298718

deploy@1705306975

deploy@1705903520

deploy@1706508321

deploy@1707113127

deploy@1707717945

deploy@1708322739

deploy@1708927574

deploy@1709532332

deploy@1709533819

deploy@1710137117

deploy@1710146776

deploy@1710741924

deploy@1711370131

deploy@1711952105

deploy@1712566963

deploy@1713161715

deploy@1713766425

deploy@1714371303

deploy@1714976069

deploy@1715580861

deploy@1716185667

deploy@1716790412

deploy@1716800745

deploy@1717395230

deploy@1717401777

deploy@1718000036

deploy@1718616070

deploy@1719209622

deploy@1719814351

test-depl-20231013154558

test-depl-20231025084603

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.19.0.RC1

v0.19.0.RC2

v0.19.0.RC3

v0.20.0.RC1

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.90.0

v0.90.0.Beta1

v0.90.0.RC1

v0.90.0.RC2

v1.*

v1.0.0.Beta1

v1.0.0.Beta2

v1.0.0.RC1

v4.*

v4.0.0

v4.0.0-beta1

v4.0.0-beta1.1

v4.0.0-beta2

v4.0.0-beta3

v4.0.0BETA1

v4.1.0

v4.2.0-beta1

v5.*

v5.0.0-alpha1

v5.0.0-alpha2

v5.0.0-alpha3

v5.0.0-alpha4

v5.0.0-alpha5

v6.*

v6.0.0-alpha1

v6.0.0-alpha2

v7.*

v7.0.0-alpha1

v7.0.0-alpha2

v8.*

v8.0.0-alpha1

v8.0.0-alpha2

v8.15.0