{"id":"CVE-2024-52972","summary":"Kibana allocation of resources without limits or throttling leads to crash","details":"An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.","aliases":["BIT-elk-2024-52972","BIT-kibana-2024-52972"],"modified":"2026-07-08T08:05:26.528325930Z","published":"2025-01-23T06:11:10.715Z","database_specific":{"cwe_ids":["CWE-770"],"unresolved_ranges":[{"extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.15.0"},{"introduced":"7.0.0"},{"fixed":"7.17.23"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"elastic","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52972.json"},"references":[{"type":"WEB","url":"https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52972.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52972"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"0"},{"fixed":"61d76462eecaf09ada684d1b5d319b5ff6865a83"},{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"1a77947f34deddb41af25e6f0ddb8e830159c179"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"7.17.23"},{"introduced":"8.0.0"},{"fixed":"8.15.0"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"versions":["v7.17.22","v7.17.21","v7.17.20","v7.17.19","v7.17.18","v7.17.17","v7.17.16","v7.17.15","v7.17.14","v7.17.13","v7.17.12","v7.17.11","v7.17.10","v7.17.9","v7.17.8","v7.17.7","v7.17.6","v7.17.5","v7.17.4","v7.17.3","v7.17.2","v7.17.1","v7.17.0","v7.16.1","v7.16.0","v8.0.0-alpha2","v8.0.0-alpha1","v7.0.0-alpha2","v7.0.0-alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52972.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/kibana","events":[{"introduced":"0"},{"fixed":"89cafc519e1d6e0e08d8cf5c13eee6886fe6e412"},{"introduced":"57ca5e139a33dd2eed927ce98d8231a1f217cd15"},{"fixed":"8aa0b59da12c996e3048d8875446667ee6e15c7f"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"7.17.23"},{"introduced":"8.0.0"},{"fixed":"8.15.0"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*"}}],"versions":["deploy@1719814351","deploy@1719209622","deploy@1718616070","deploy@1718000036","v7.17.22","deploy@1717401777","deploy@1717395230","deploy@1716800745","deploy@1716790412","deploy@1716185667","deploy@1715580861","deploy@1714976069","v7.17.21","deploy@1714371303","deploy@1713766425","deploy@1713161715","v7.17.20","deploy@1712566963","deploy@1711952105","deploy@1711370131","v7.17.19","deploy@1710741924","deploy@1710146776","deploy@1710137117","deploy@1709533819","deploy@1709532332","deploy@1708927574","deploy@1708322739","deploy@1707717945","deploy@1707113127","v7.17.18","deploy@1706508321","v7.17.17","deploy@1705903520","deploy@1705306975","deploy@1705298718","deploy@1704693922","deploy@1704089101","deploy@1703484304","deploy@1702903357","deploy@1702879551","deploy@1702367069","deploy@1702284899","v7.17.16","deploy@1701687168","deploy@1701160888","deploy@1700491293","v7.17.15","deploy@1699865290","deploy@1699260155","deploy@1698657637","deploy@1698046713","deploy@1697564183","deploy@1697232175","test-depl-20231025084603","test-depl-20231013154558","deploy@1697028216","deploy@1696873111","deploy@1696618725","v7.17.14","deploy@1696508231","deploy@1696415195","deploy@1696328885","deploy@1695286747","deploy@1694683198","deploy@1694506029","deploy@1694162455","deploy@1694087994","deploy@1693866333","deploy@1693860790","deploy@1693853982","deploy@1693609987","deploy@1693594780","v7.17.13","v7.17.12","v7.17.11","v7.17.10","v7.17.9","v7.17.8","v7.17.7","v7.17.6","v7.17.5","v7.17.4","v7.17.3","v7.17.2","v7.17.1","v7.17.0","v7.16.1","v7.16.0","v8.0.0-alpha2","v8.0.0-alpha1","v7.0.0-alpha2","v7.0.0-alpha1","7.0-known-good","v6.0.0-alpha2","v6.0.0-alpha1","v5.0.0-alpha5","v4.2.0-beta1","v4.0.0-beta3","v4.0.0-beta2","v4.0.0-beta1.1","v4.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52972.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}