CVE-2024-37285: 
Kibana vulnerability analysis and mitigation

A critical deserialization vulnerability (CVE-2024-37285) was discovered in Kibana that could lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. The vulnerability was disclosed on November 14, 2024, affecting Kibana versions 8.10.0 to 8.15.0. This vulnerability requires specific access privileges for successful exploitation (Elastic Discussion, NVD).

The vulnerability is classified as a deserialization of untrusted data (CWE-502) with a CVSS v3.1 score of 9.1 (Critical). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N). The scope is changed (S:C) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. The high CVSS score of 9.1 indicates severe potential consequences for affected organizations (Security Online).

The vulnerability has been patched in Kibana version 8.15.1. Users are strongly advised to upgrade to this version or higher to address the security risk. The upgrade to version 8.15.1 is currently the most effective solution to mitigate this vulnerability (Elastic Discussion).