CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-37288

CVSS 9.9v3.1pub. 2024-09-09upd. 2024-09-16

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html  and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .

🤖 AI Analysis
How it works

An attacker sends a specially crafted YAML document containing a malicious payload, which is then deserialized by Kibana. The deserialization process causes the code embedded in the payload to execute on the server side. The vulnerability is triggered in the context of the built-in AI tools in the Elastic Security module with a configured Amazon Bedrock connector.

Impact

An authenticated attacker can achieve remote code execution (RCE) of arbitrary code on the Kibana server, resulting in complete loss of confidentiality, integrity, and availability of the system.

Mitigation & patch

Kibana should be updated to version 8.15.1 or later in accordance with the manufacturer's recommendations published at: https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119. As a temporary workaround, consider disabling the Amazon Bedrock connector and AI tools in the Elastic Security module.

Who is affected

Elastic Kibana — only installations using built-in AI tools in the Elastic Security module and with a configured Amazon Bedrock connector. Specific versions indicated in manufacturer references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Elastic Kibana

    APP
    Elastic
    8.15.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2025-25014CRITICAL9.1PL ✓ten sam produkt

Prototype Pollution w Kibana prowadzące do RCE przez HTTP

CVE-2025-25015CRITICAL9.9PL ✓ten sam produkt

Prototype Pollution w Elastic Kibana umożliwia zdalne wykonanie kodu (RCE)

CVE-2024-37285CRITICAL9.1PL ✓ten sam produkt

RCE przez deserializację YAML w Elastic Kibana

CVE-2024-37287CRITICAL9.1PL ✓ten sam produkt

RCE w Kibana — prototype pollution przez ML i Alerting connector