A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.
{
"cna_assigner": "elastic",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8.7.0"
},
{
"fixed": "8.15.0"
}
]
}
],
"cwe_ids": [
"CWE-918"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43710.json"
}"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43710.json"
[
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"digest": {
"function_hash": "142192629617725741299022729598204077325",
"length": 271.0
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "createThreadPool",
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
},
"id": "CVE-2024-43710-8673e70a"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"digest": {
"line_hashes": [
"90979555117259467445263826000722655414",
"233880512092644159509098133445422903781",
"201588729648204699044316536751211233144",
"150381386453785713982991137249591284441"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
},
"id": "CVE-2024-43710-9c9105ba"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"digest": {
"function_hash": "137023518409038292133452283468593548723",
"length": 2537.0
},
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "validateApiKeyCredentials",
"file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
},
"id": "CVE-2024-43710-cae71c55"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
"digest": {
"line_hashes": [
"203603482067859804637258967793063382345",
"322917609237158501780418561654099552269",
"256253239670756748785358014200135771045",
"315837561795991804971382438615044649236",
"146427732354523605064218080296921708373",
"173231181477074759296592300368901057611",
"61022203414500058386117304455448959197",
"193300915082347298917541114706348147175",
"258077855627316307519262695880736716066",
"125996974648388146940214377483342596447",
"40188819877500306413169533609100026446",
"97819836589033936183410863291812511956",
"28174937397667876549461977660517314954",
"135344447971163041939327739838227678862",
"339252469867217754068016957649395888437"
],
"threshold": 0.9
},
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
},
"id": "CVE-2024-43710-fbf59ae4"
}
]
"2026-07-09T14:42:24Z"