Kibana 8.12.1 Security Update (ESA-2024-21)

rodrigo_silva · June 10, 2025, 4:48pm

Kibana Improper Authorization (ESA-2024-21)

Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.

Affected Versions:

Kibana versions before and including 8.12.0.

Solutions and Mitigations:

The issue is resolved in versions 8.12.1.

For Users that Cannot Upgrade:

Self-hosted:
Users with a self-hosted deployment who cannot upgrade can disable the synthetics app OR put a block on synthetics indices.

Disable the synthetics by adding xpack.uptime.enabled: false to their kibana.yml file
Put an index block on the synthetics-* indices to make them read-only see

Elastic Cloud:
Users on an Elastic Cloud deployment who cannot upgrade can put a block on synthetics indices

Severity: High (7.6) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/CR:M/IR:M/AR:M
CVE ID: CVE-2024-43706

Topic		Replies	Views
ELK behind ELB Kibana	4	2496	July 6, 2017
Manage Kibana Access with kibana-auth-plugin and kibana-auth-elasticfence Kibana	1	1256	July 6, 2017
Kibana version Elasticsearch	3	391	July 6, 2017
Elastic Stack 7.17.1 Security Update Security Announcements	1	20445	November 4, 2022
Kibana 6.4.2 plugin:security Privileges are missing and can't be removed, currently Kibana	3	2357	January 10, 2019