CVE-2024-12556
Kibana Prototype Pollution Code Execution
Description
Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.
INFO
Published Date :
April 8, 2025, 8:15 p.m.
Last Modified :
April 9, 2025, 8:02 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.8
Exploitability Score :
2.3
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-12556.
| URL | Resource |
|---|---|
| https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918 |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-12556 vulnerability anywhere in the article.
-
Daily CyberSecurity
Critical Vulnerability (CVE-2025-31498) Patched in c-ares DNS Library
The Domain Name System (DNS) plays a pivotal role, translating human-friendly domain names into the numerical IP addresses that computers understand. And at the heart of many applications facilitating ... Read more
-
Daily CyberSecurity
CISA Warns of Actively Exploited Linux Kernel Vulnerabilities (CVE-2024-53197, CVE-2024-53150)
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning after adding two newly discovered Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, co ... Read more
-
Daily CyberSecurity
Seven Years Later: Cisco CVE-2018-0171 Still Exposes Thousands to RCE
In a deep dive published by Guy Bruneau, Senior Security Consultant and former network engineer, the lingering dangers of a years-old Cisco vulnerability—CVE-2018-0171—are laid bare with fresh insight ... Read more
-
Daily CyberSecurity
Critical SSRF Vulnerability Patched in LNbits Lightning Wallet Server
LNbits, the modular and extendable Lightning Network wallet server, has patched a critical Server-Side Request Forgery (SSRF) vulnerability that exposed internal services to potential exploitation via ... Read more
-
Daily CyberSecurity
High-Severity XXE Vulnerability Found in NAKIVO Backup & Replication
A high-severity security vulnerability has been identified in NAKIVO Backup & Replication, a popular data protection solution. The vulnerability, classified as an XML External Entity (XXE) issue and t ... Read more
-
Cyber Security News
Kibana Security Update – Patch for Vulnerability Leads to Code Injection
Elastic has released critical security updates for Kibana, addressing a high-severity vulnerability that could allow attackers to inject malicious code into affected systems. The security update patch ... Read more
-
Daily CyberSecurity
Critical Vulnerabilities: CISA Alerts to Windows CLFS and Gladinet CentreStack Threats
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply ... Read more
-
Daily CyberSecurity
Windows CLFS Zero-Day Exploited to Deploy Ransomware
Microsoft Threat Intelligence has disclosed active exploitation of a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824. The exploit, used in the wild, enab ... Read more
-
Daily CyberSecurity
Siemens Security Alert: Critical Vulnerabilities in SENTRON 7KT PAC1260 Data Manager
In a recent security advisory, Siemens ProductCERT has revealed multiple critical vulnerabilities affecting the SENTRON 7KT PAC1260 Data Manager. The advisory, published on April 8, 2025, warns that t ... Read more
-
Daily CyberSecurity
Kibana Code Injection Vulnerability: Prototype Pollution Threat (CVE-2024-12556)
A newly disclosed vulnerability in Kibana, the popular open-source data visualization front-end for Elasticsearch, has been rated CVSS 8.7 due to its potential to allow remote code injection under spe ... Read more
The following table lists the changes that have been made to the
CVE-2024-12556 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Apr. 08, 2025
Action Type Old Value New Value Added Description Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Added CWE CWE-1321 Added Reference https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-12556 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-12556
weaknesses.