CVE-2024-43710

Source
https://cve.org/CVERecord?id=CVE-2024-43710
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43710.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-43710
Aliases
Published
2025-01-23T06:06:38.572Z
Modified
2026-07-09T14:42:24.572019Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Kibana server-side request forgery
Details

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

Database specific
{
    "cna_assigner": "elastic",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.7.0"
                },
                {
                    "fixed": "8.15.0"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43710.json"
}
References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "8.7.0"
        },
        {
            "fixed": "8.15.0"
        }
    ],
    "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43710.json"
vanir_signatures
[
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "digest": {
            "function_hash": "142192629617725741299022729598204077325",
            "length": 271.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "createThreadPool",
            "file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
        },
        "id": "CVE-2024-43710-8673e70a"
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "digest": {
            "line_hashes": [
                "90979555117259467445263826000722655414",
                "233880512092644159509098133445422903781",
                "201588729648204699044316536751211233144",
                "150381386453785713982991137249591284441"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
        },
        "id": "CVE-2024-43710-9c9105ba"
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "digest": {
            "function_hash": "137023518409038292133452283468593548723",
            "length": 2537.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "validateApiKeyCredentials",
            "file": "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java"
        },
        "id": "CVE-2024-43710-cae71c55"
    },
    {
        "source": "https://github.com/elastic/elasticsearch/commit/1a77947f34deddb41af25e6f0ddb8e830159c179",
        "digest": {
            "line_hashes": [
                "203603482067859804637258967793063382345",
                "322917609237158501780418561654099552269",
                "256253239670756748785358014200135771045",
                "315837561795991804971382438615044649236",
                "146427732354523605064218080296921708373",
                "173231181477074759296592300368901057611",
                "61022203414500058386117304455448959197",
                "193300915082347298917541114706348147175",
                "258077855627316307519262695880736716066",
                "125996974648388146940214377483342596447",
                "40188819877500306413169533609100026446",
                "97819836589033936183410863291812511956",
                "28174937397667876549461977660517314954",
                "135344447971163041939327739838227678862",
                "339252469867217754068016957649395888437"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java"
        },
        "id": "CVE-2024-43710-fbf59ae4"
    }
]
vanir_signatures_modified
"2026-07-09T14:42:24Z"

Git / github.com/elastic/kibana

Affected ranges

Type
GIT
Repo
https://github.com/elastic/kibana
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "8.7.0"
        },
        {
            "fixed": "8.15.0"
        }
    ],
    "cpe": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43710.json"