Cyber Resilience

CVE-2024-43707

High

Published: 23 January 2025

Published
23 January 2025
Modified
30 September 2025
KEV Added
Patch
2024-30-37
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0078 74.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-43707 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Elastic Kibana. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-43707 is a vulnerability in Kibana that allows a user without access to Fleet to view Elastic Agent policies, potentially exposing sensitive information. The content of this sensitive information varies based on the enabled integrations for the Elastic Agent and their versions. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity and privileges required.

An authenticated user with low privileges (PR:L) who lacks Fleet access can exploit this vulnerability over the network without user interaction. Successful exploitation grants unauthorized read access to Elastic Agent policies, enabling the attacker to obtain sensitive data contained within those policies, depending on the specific integrations and versions in use.

The Elastic Security Advisory, detailed in the referenced forum post at https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521, addresses this issue as part of Kibana 8.15.0 security updates (ESA-2024-29 and ESA-2024-30), providing patches for mitigation. Security practitioners should apply these updates promptly to affected Kibana deployments.

EU & UK References

Vulnerability details

An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their…

more

respective versions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Authz bypass in Kibana web app directly enables exploitation of public-facing app (T1190) for unauthorized retrieval of sensitive policy data (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26938Same product: Elastic Kibana
CVE-2026-42398Same product: Elastic Kibana
CVE-2025-25015Same product: Elastic Kibana
CVE-2026-4498Same product: Elastic Kibana
CVE-2026-33461Same product: Elastic Kibana
CVE-2026-26935Same product: Elastic Kibana
CVE-2026-0528Same product: Elastic Kibana
CVE-2026-26937Same product: Elastic Kibana
CVE-2026-33458Same product: Elastic Kibana
CVE-2026-26936Same product: Elastic Kibana

Affected Assets

elastic
kibana
8.7.0 — 8.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized low-privileged users from viewing sensitive Elastic Agent policies in Kibana.

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2024-43707 through patching Kibana to 8.15.0 or later.

prevent

Restricts access to the least privileges necessary, ensuring users without Fleet access cannot view associated sensitive policies.

References