What is the CVSS score of CVE-2024-43710?

CVE-2024-43710 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.2%.

Which versions of Kibana are affected by CVE-2024-43710?

Organizations using A server side request forgery vulnerability should be aware of moderate risk from CVE-2024-43710, a server-side request forgery vulnerability rated CVSS 4.3.. A patch is available.

How to fix or mitigate CVE-2024-43710?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Vendor patch is available.

Kibana CVE-2024-43710

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2025-01-23 security@elastic.co

SSRF Elastic Kibana

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:05 vuln.today

Patch released

Mar 28, 2026 - 18:05 nvd

Patch available

CVE Published

Jan 23, 2025 - 06:15 nvd

MEDIUM 4.3

DescriptionNVD

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet.

AnalysisAI

A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. Affected products include: Elastic Kibana.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

More from same product – last 7 days

CVE-2026-42398 HIGH This Week

7.7 May 28

Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa

CVE-2026-33464 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a

CVE-2026-42399 MEDIUM This Month

6.5 May 28

Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc

CVE-2026-42400 MEDIUM This Month

6.5 May 28

Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a

CVE-2026-49094 MEDIUM This Month

6.5 May 28

Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level

CVE-2024-43710 vulnerability details – vuln.today

Back

Kibana CVE-2024-43710

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code