CVE-2024-43710 – A server-side request forgery (SSRF) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-43710?

CVE-2024-43710 has a CVSS score of 4.3 (MEDIUM). A server-side request forgery (SSRF) vulnerability in Kibana's Fleet API allows authenticated users with read access to send requests to internal HTTPS endpoints that return JSON. This could expose internal services and sensitive data. Only users with Fleet read permissions are affected.

📋 TL;DR

A server-side request forgery (SSRF) vulnerability in Kibana's Fleet API allows authenticated users with read access to send requests to internal HTTPS endpoints that return JSON. This could expose internal services and sensitive data. Only users with Fleet read permissions are affected.

💻 Affected Systems

Products:

Kibana

Versions: Versions before 8.15.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Fleet feature enabled and user with Fleet read permissions.

📦 What is this software?

Kibana by Elastic

View all CVEs affecting Kibana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal APIs, retrieve confidential data, or pivot to other internal systems if vulnerable endpoints exist.

🟠

Likely Case

Information disclosure from internal APIs that return JSON over HTTPS, potentially exposing configuration data or service metadata.

🟢

If Mitigated

Limited to JSON endpoints over HTTPS, with no direct code execution or system compromise possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with Fleet read access and knowledge of internal endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kibana 8.15.0

Vendor Advisory: https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521

Restart Required: Yes

Instructions:

1. Upgrade Kibana to version 8.15.0 or later. 2. Restart Kibana service. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Fleet API Access

all

Limit access to the /api/fleet/health_check endpoint using network controls or application firewalls.

Reduce User Permissions

all

Review and minimize users with Fleet read permissions to only those who absolutely need it.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kibana from sensitive internal services.
Monitor and audit all requests to the /api/fleet/health_check endpoint for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Kibana version via Kibana UI or API. If version is below 8.15.0 and Fleet is enabled, system is vulnerable.

Check Version:

curl -X GET "http://localhost:5601/api/status" | grep "number"

Verify Fix Applied:

Confirm Kibana version is 8.15.0 or higher and test that the /api/fleet/health_check endpoint no longer allows SSRF.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /api/fleet/health_check with external or internal URLs
Multiple failed health check attempts with varying parameters

Network Indicators:

Outbound HTTPS requests from Kibana to unexpected internal endpoints
Unusual traffic patterns from Kibana to other services

SIEM Query:

source="kibana.log" AND "/api/fleet/health_check" AND (url=*http* OR url=*https*)

📊 Metadata

CVE ID: CVE-2024-43710

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-918

EPSS Score: 0.09% exploit probability (25.1th percentile)

Published: January 23, 2025

Last Updated: September 30, 2025

🔗 References

https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521 Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43710, you might also want to check these: