CVE-2024-37288

CRITICAL LAB

Elastic Kibana - Insecure Deserialization

Title source: rule

Description

A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2024-37288

View Code ZIP pw:eip

References (1)

[Mitigation, Vendor Advisory] https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119

Scores

CVSS v3 9.9

EPSS 0.0163

EPSS Percentile 81.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

kibana kibana-patched setup

docker pull ghcr.io/exploitintel/cve-2024-37288-kibana:latest

All Labs GitHub

Classification

CWE

CWE-502

Status published

Affected Products (1)

elastic/kibana

Timeline

Published Sep 09, 2024

Tracked Since Feb 18, 2026