EIQ-2024-0002#

ID

EIQ-2024-0002

CVE

CVE-2024-37285

Description

Kibana 8.10.0-8.15.0 contain arbitrary code execution flaw via YAML deserialization

Date

10 September 2024

Severity

4 - CRITICAL

CVSSv3 score

9.1

Status

⏲ 3.4.2

Assessment

Elastic issued a critical security advisory ESA-2024-28, stating that the following Kibana versions are vulnerable to arbitrary code execution via YAML deserialization:

  • Later than 8.10.0

  • Earlier than 8.15.1

No IC instances are impacted by ESA-2024-27 (CVE-2024-37288).

For more information on the vulnerability, go to Elastic’s advisory.

Only IC versions 3.4.0 and 3.4.1 bundle the affected versions of Kibana:

  • IC 3.4: ELK 8.14.2

EclecticIQ will inform customers when an upgrade path is available.

Mitigation

There is no mitigation for this vulnerability.
This security advisory will be updated as soon as an upgrade path is available.

Affected versions

IC 3.4.0 and 3.4.1

Notes

N/A