CVE-2024-52979 — Elasticsearch Uncontrolled Resource Consumption Vulnerability

Description

Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash.

How to fix CVE-2024-52979

To remediate CVE-2024-52979, upgrade the affected package to a fixed version below.

Bitnami/elasticsearch—upgrade to 7.17.25 or later
—upgrade to 7.17.25 or later

Is CVE-2024-52979 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.17.0, < 7.17.25, >= 8.0.0, < 8.16.0
from 0, < 7.17.25

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-52979
PATCHgithub.com/elastic/elasticsearch
WEBdiscuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709
WEBgithub.com/elastic/elasticsearch/commit/cbde7f456d7ccd98556302fccf3238bb4557fc91