Severity
High
Analysis Summary
CVE-2024-12556 CVSS:8.7
Prototype Pollution in Elastic Kibana can lead to code injection via unrestricted file upload combined with path traversal.
CVE-2024-52981 CVSS:4.9
An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow.
CVE-2024-52974 CVSS:6.5
An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them.
CVE-2024-52980 CVSS:6.5
A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them.
Impact
- Gain Access
- Privilege Escalation
Indicators of Compromise
CVE
CVE-2024-12556
CVE-2024-52981
CVE-2024-52974
CVE-2024-52980
Affected Vendors
- Elastic
Affected Products
- Kibana 8.16.1
- Kibana 8.17.1
- Elasticsearch 7.17.0 to 7.17.23
- Elasticsearch 8.0 to 8.15.0
- Kibana 7.17.0 to 7.17.22
- Kibana 8.0.0 to 8.15.0
Remediation
Refer to Elastic Website for patch, upgrade, or suggested workaround information.