Vulnerability DatabaseCVE-2024-43710

CVE-2024-43710:
Kibana vulnerability analysis and mitigation

Overview

A server-side request forgery (SSRF) vulnerability was identified in Kibana (CVE-2024-43710) where the /api/fleet/health_check API could be used to send requests to internal endpoints. The vulnerability affects Kibana versions from 8.7.0 up to 8.15.0, and can be exploited by users with read access to Fleet. Due to the nature of the underlying request, only endpoints available over HTTPS that return JSON could be accessed (Elastic Discussion).

Technical details

The vulnerability has been assigned a CVSSv3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and specifically affects the /api/fleet/health_check API endpoint (NVD, Elastic Discussion).

Impact

The vulnerability allows attackers to send requests to internal endpoints, though the impact is limited as only HTTPS endpoints returning JSON responses can be accessed. This could potentially lead to unauthorized access to internal services or information disclosure (Security Online).

Mitigation and workarounds

The vulnerability has been fixed in Kibana version 8.15.0. Users are strongly encouraged to upgrade to this version to address the security issue (Security Online, Elastic Discussion).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

4.3

Score

Published January 23, 2025

Severity MEDIUM

CNA Score 4.3

Affected Technologies

Kibana

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 25.6

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

kibana
cpe:2.3:a:elastic:kibana

Sources

Nix
- Nix Severity MEDIUMHas FixAdded at: Oct 03, 2025
VulnCheck NVD++
- Linux Severity MEDIUMHas FixAdded at: Jan 26, 2025
- Windows Severity MEDIUMHas FixAdded at: Jan 26, 2025
NVD
- Linux Severity MEDIUMHas FixAdded at: Oct 03, 2025
- Windows Severity MEDIUMHas FixAdded at: Oct 03, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Kibana vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-37735	HIGH	7	Kibana	cpe:2.3:a:elastic:kibana	No	Yes	Nov 06, 2025
CVE-2025-25017	MEDIUM	6.1	Kibana	cpe:2.3:a:elastic:kibana	No	Yes	Oct 10, 2025
CVE-2025-25018	MEDIUM	5.4	Kibana	cpe:2.3:a:elastic:kibana	No	Yes	Oct 10, 2025
CVE-2025-37728	MEDIUM	5.4	Kibana	cpe:2.3:a:elastic:kibana	No	Yes	Oct 07, 2025
CVE-2025-37734	MEDIUM	4.3	Kibana	cpe:2.3:a:elastic:kibana	No	Yes	Nov 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-43710: Kibana vulnerability analysis and mitigation