We use cookies to improve your experience on our site.
AVID-2026-R1498
Description
Vulnerability CVE-2024-37288
Details
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .
Reason for inclusion in AVID: The CVE describes a deserialization vulnerability in Kibana that leads to arbitrary code execution when parsing crafted YAML, specifically affecting users of Elastic Security’s built-in AI tools and an Amazon Bedrock connector. This places the issue squarely in AI tooling used within AI workflows, and the vulnerability resides in software components (Kibana/Elastic stack) that are part of AI pipelines and deployment stacks. It is a clear security vulnerability with direct impact on AI software systems, and the evidence in the report supports it being considered in the AI supply chain context.
References
Affected or Relevant Artifacts
- Developer: Elastic
- Deployer: Elastic
- Artifact Details:
| Type | Name |
|---|---|
| System | Kibana |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 9.9 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502 Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-09
- Version: 0.3.3
- AVID Entry