CVE-2024-43707

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521	Patch Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*

History

30 Sep 2025, 20:59

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 -~~	() https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 - Patch, Issue Tracking, Vendor Advisory
Summary		(es) Se identificó un problema en Kibana en el que un usuario sin acceso a Fleet puede ver políticas de Elastic Agent que podrían contener información confidencial. La naturaleza de la información confidencial depende de las integraciones habilitadas para Elastic Agent y sus respectivas versiones.
CPE		cpe:2.3:a:elastic:kibana::::::::
First Time		Elastic Elastic kibana

23 Jan 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-23 06:15

Updated : 2025-09-30 20:59

NVD link : CVE-2024-43707

Mitre link : CVE-2024-43707

CVE.ORG link : CVE-2024-43707

JSON object : View

Products Affected

elastic

kibana

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2024-43707", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "bressers@elastic.co", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-01-23T06:15:27.380", "references": [{"url": "https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521", "tags": ["Patch", "Issue Tracking", "Vendor Advisory"], "source": "bressers@elastic.co"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "bressers@elastic.co", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions."}, {"lang": "es", "value": "Se identific\u00f3 un problema en Kibana en el que un usuario sin acceso a Fleet puede ver pol\u00edticas de Elastic Agent que podr\u00edan contener informaci\u00f3n confidencial. La naturaleza de la informaci\u00f3n confidencial depende de las integraciones habilitadas para Elastic Agent y sus respectivas versiones."}], "lastModified": "2025-09-30T20:59:28.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22FF4C9E-C60B-42AB-B0DF-F95DAFEAB92D", "versionEndExcluding": "8.15.0", "versionStartIncluding": "8.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "bressers@elastic.co"}