CVE-2024-12556

HIGH
2025-04-08 [email protected]
8.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:35 vuln.today
Patch Released
Mar 28, 2026 - 18:35 nvd
Patch available
CVE Published
Apr 08, 2025 - 20:15 nvd
HIGH 8.7

Tags

Prototype Pollution Path Traversal Elastic File Upload Kibana

Description

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

Analysis

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Technical Context

This vulnerability is classified as Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321), which allows attackers to modify object prototypes to inject properties affecting application logic. Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected products include: Elastic Kibana.

Affected Products

Elastic Kibana.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Freeze prototypes, validate object keys, avoid recursive merging of untrusted data.

Priority Score

45
Low Medium High Critical
KEV: 0
EPSS: +1.1
CVSS: +44
POC: 0

Share

CVE-2024-12556 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy