CVE-2024-52972

Published: Jan 23, 2025Modified: Sep 30, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: security@elastic.co (Secondary)

Description

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.

Affected (2)

Products: Elastic: Kibana

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Kibana	Before 7.17.23
Elastic Kibana	From 8.0.0 to 8.15.0

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (1)

https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548

Source: security@elastic.co

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.