{"id":"CVE-2024-37287","details":"A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.","modified":"2026-04-10T05:14:07.566941Z","published":"2024-08-13T12:15:06.433Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"e13d5b1fed429df03e29af259ffccd6453250947"},{"fixed":"89cafc519e1d6e0e08d8cf5c13eee6886fe6e412"},{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"50d89958910ab6fa9b8c4f4f40c53e89ad6dbbe1"}],"database_specific":{"versions":[{"introduced":"7.7.0"},{"fixed":"7.17.23"},{"introduced":"8.0.0"},{"fixed":"8.14.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37287.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}