Vulnerability Database

313,825

Total vulnerabilities in the database

CVE-2024-37285

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them.

The following Elasticsearch indices permissions are required

write privilege on the system indices .kibana_ingest*
The allow_restricted_indices flag is set to true

Any of the following Kibana privileges are additionally required

Under Fleet the All privilege is granted
Under Integration the Read or All privilege is granted
Access to the fleet-setup privilege is gained through the Fleet Server’s service account token

Published: Nov 14, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-37285
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
elastic / kibana	8.10.0	8.15.0.x

https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo