CVE-2024-43707

High

Published: 23 January 2025

Published

23 January 2025

Modified

30 September 2025

KEV Added

—

Patch

2024-30-37

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0078 73.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43707 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Elastic Kibana. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized low-privileged users from viewing sensitive Elastic Agent policies in Kibana.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2024-43707 through patching Kibana to 8.15.0 or later.

AC-6 Least Privilege good match

prevent

Restricts access to the least privileges necessary, ensuring users without Fleet access cannot view associated sensitive policies.

NVD Description

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their…

respective versions.

Deeper analysisAI

CVE-2024-43707 is a vulnerability in Kibana that allows a user without access to Fleet to view Elastic Agent policies, potentially exposing sensitive information. The content of this sensitive information varies based on the enabled integrations for the Elastic Agent and their versions. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity and privileges required.

An authenticated user with low privileges (PR:L) who lacks Fleet access can exploit this vulnerability over the network without user interaction. Successful exploitation grants unauthorized read access to Elastic Agent policies, enabling the attacker to obtain sensitive data contained within those policies, depending on the specific integrations and versions in use.

The Elastic Security Advisory, detailed in the referenced forum post at https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521, addresses this issue as part of Kibana 8.15.0 security updates (ESA-2024-29 and ESA-2024-30), providing patches for mitigation. Security practitioners should apply these updates promptly to affected Kibana deployments.

Details

CWE(s): CWE-200 NVD-CWE-noinfo

Affected Products

elastic

kibana

8.7.0 — 8.15.0

CVEs Like This One

CVE-2026-26935Same product: Elastic Kibana

CVE-2026-33458Same product: Elastic Kibana

CVE-2026-33461Same product: Elastic Kibana

CVE-2026-4498Same product: Elastic Kibana

CVE-2026-26938Same product: Elastic Kibana

CVE-2025-25015Same product: Elastic Kibana

CVE-2026-26937Same product: Elastic Kibana

CVE-2026-0528Same product: Elastic Kibana

CVE-2026-26936Same product: Elastic Kibana

CVE-2026-33466Same vendor: Elastic

References

https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521
Issue Tracking, Patch, Vendor Advisory · security@elastic.co