CVE-2024-52979
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-52979
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52979.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-52979
- Aliases
- Downstream
- Published
- 2025-05-01T14:15:35Z
- Modified
- 2025-10-22T04:50:27.816967Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash.
- References
Affected packages
Git / github.com/elastic/elasticsearch
Affected ranges
- Type
- GIT
- Repo
- https://github.com/elastic/elasticsearch
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.19.0.RC1
v0.19.0.RC2
v0.19.0.RC3
v0.20.0.RC1
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.90.0
v0.90.0.Beta1
v0.90.0.RC1
v0.90.0.RC2
v1.*
v1.0.0.Beta1
v1.0.0.Beta2
v1.0.0.RC1
v5.*
v5.0.0-alpha1
v5.0.0-alpha2
v5.0.0-alpha3
v5.0.0-alpha4
v5.0.0-alpha5
v6.*
v6.0.0-alpha1
v6.0.0-alpha2
v7.*
v7.0.0-alpha1
v7.0.0-alpha2
v7.16.0
v7.16.1
v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.13
v7.17.14
v7.17.15
v7.17.16
v7.17.17
v7.17.18
v7.17.19
v7.17.2
v7.17.20
v7.17.21
v7.17.22
v7.17.23
v7.17.24
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9
Database specific
vanir_signatures
[
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testJsonEscapeEncoder",
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"
},
"digest": {
"function_hash": "71956332809056563880664223486586964683",
"length": 415.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-0c1617d3",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidateWillPassWithEmptyContext",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "144117584149441582895077635790369464822",
"length": 736.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-139f0197",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidateWillFailWhenStoredScriptIsNotEnabled",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "39019849195163078364453451016207410144",
"length": 1181.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-1ee3c94e",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "init",
"file": "x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherTemplateTests.java"
},
"digest": {
"function_hash": "49327279215996421982864842442725417674",
"length": 352.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-2b44eb1e",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"
},
"digest": {
"line_hashes": [
"260724815602827057161342286177331879369",
"299414520418435272494288839695706879875",
"335829256322753810474725743173018977790",
"198411042547988672265206865312720978285",
"15779814672166499281565761075813349228",
"46277467755220071900592609424390351156",
"329228786687257630019199695424718935281",
"71142104707383942207649566007965511467",
"226618092523756949690133323679628991533",
"277459634296988659285413589122364735896",
"43833142318932596798330563867445185713",
"13999140027293035083310181413892913952",
"124588977320519476626865312164560466561"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-333be3cd",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheScriptEngineTests.java"
},
"digest": {
"line_hashes": [
"217054524057156292207676394995186674373",
"327768302703017508604682486569004941672",
"281573697777141312458118871187442064337",
"309455408978515512922101582695487270046",
"295481389318677729763671893230986600901",
"166219367374926842139429060374574144815"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-34603f65",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testResolveRoles",
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java"
},
"digest": {
"function_hash": "151803326117113157585457799975869449748",
"length": 2805.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-3bf0ea81",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStoreTests.java"
},
"digest": {
"line_hashes": [
"116788657788980503460590120729718152462",
"140217039344956654654139697964715819027",
"68306334621953786014381747112565645374",
"24801166495743943226395526232977233157"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-3c33c3eb",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidateWillFailForSyntaxError",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "111990246283836147376017136221580968231",
"length": 428.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-4767f946",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngine.java"
},
"digest": {
"line_hashes": [
"27903402534919546635791598199212766113",
"202767930690875079314622150558576239219",
"292749406633197378400834136773885899657",
"141430915633847606271967343419083194512",
"25665665366145358368122874853241654402",
"22463683707409288580481268856080475135",
"47473509260247958739848763824813536341",
"133601028643131039637350476030259704996",
"333505924171825618663039817871097482957",
"297868719096054393079480554301545342329",
"242397685812262189735767498840095765614",
"33067437703239928262509095675286934326",
"310170204601640840685388468965430677173",
"125954465490018876807588726586019966968",
"254598349714001788377917954619669607713",
"219532954386181260364522796085181762374"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-4f5edb5b",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustachePlugin.java"
},
"digest": {
"line_hashes": [
"235899548147279606151004696324130254638",
"265280779188572200127151620888020312366",
"34886600251018868096240371489786639996",
"267796651286796079854174790520448593872"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-5650d50c",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "qa/smoke-test-ingest-with-all-dependencies/src/yamlRestTest/java/org/elasticsearch/ingest/AbstractScriptTestCase.java"
},
"digest": {
"line_hashes": [
"250455578566233581498805376339838561018",
"43049344507468769718159273179949187238",
"7740960689439864754600968723644591351",
"215100982401377851795135689002797041989"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-5edb0ea4",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testUrlEncoder",
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"
},
"digest": {
"function_hash": "198373931074114196356306182644999449192",
"length": 440.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-68d99f95",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testEvaluateRoles",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "223760412447585316762464546076035857043",
"length": 914.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-78757b80",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java"
},
"digest": {
"line_hashes": [
"263387662542072824009388131884560621030",
"86992289067773551865365100514802097971",
"210966287268628218075563521562566291740",
"23214285925001973253551710271742601663"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-9377addb",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java"
},
"digest": {
"line_hashes": [
"254663021826302954445532416611309785357",
"317705985389165139794914729691248532817",
"199371003652752454694329406658746181675",
"165216574118162534959982824576327545423",
"39164454649212262395848735863829733682",
"260026933103347080910720455062658806659"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-9614dc2d",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/sp/WildcardServiceProviderResolverTests.java"
},
"digest": {
"line_hashes": [
"335756385624460509286486142715264171061",
"288983511741961517629869395403767319999",
"281645146429849389591590940323596309613",
"16469418039822154266118585238964052934"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-9c22b053",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testDefaultEncoder",
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/CustomMustacheFactoryTests.java"
},
"digest": {
"function_hash": "48993674583749389708093063397443203701",
"length": 387.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-a5144cd2",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java"
},
"digest": {
"line_hashes": [
"258606548703158703357485192177298514436",
"288983511741961517629869395403767319999",
"281645146429849389591590940323596309613",
"290548920894852666947288242126757180887"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-abfa2278",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "getScriptEngine",
"file": "modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustachePlugin.java"
},
"digest": {
"function_hash": "129436509418703097069456262700136609437",
"length": 74.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-b3edaa52",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "setUpResolver",
"file": "x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/sp/WildcardServiceProviderResolverTests.java"
},
"digest": {
"function_hash": "242893088829612024318551359488042963237",
"length": 352.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-bb6dba01",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"line_hashes": [
"52666119728895058155379919548760972569",
"265088901494427218796380562849545262970",
"68306334621953786014381747112565645374",
"303313610274449737408608142278211407807",
"155116228379801956478467967631501237755",
"265088901494427218796380562849545262970",
"68306334621953786014381747112565645374",
"287950189616453249951421553085885327629",
"249434961174674067395602216277173736333",
"265088901494427218796380562849545262970",
"68306334621953786014381747112565645374",
"201267323340808666640761053705481281573",
"16221604556372078746319496286368655011",
"265088901494427218796380562849545262970",
"68306334621953786014381747112565645374",
"45500231919697018085588020781170198288",
"32378051555540644080244331983031339354",
"288983511741961517629869395403767319999",
"281645146429849389591590940323596309613",
"8297448396737925616065850053481677587",
"32378051555540644080244331983031339354",
"288983511741961517629869395403767319999",
"281645146429849389591590940323596309613",
"79521046009440517340384660804322225185",
"237028476205265727057270613774050047096",
"265088901494427218796380562849545262970",
"68306334621953786014381747112565645374",
"79521046009440517340384660804322225185"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-c72453d8",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherTemplateTests.java"
},
"digest": {
"line_hashes": [
"60222896673207200111669655988747210836",
"43049344507468769718159273179949187238",
"10297439231556214893740253186351833188",
"318734082014954765476378382938327023586"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-cbf59f4b",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheTests.java"
},
"digest": {
"line_hashes": [
"293485663935582047539482180665074715958",
"7571772693397312765249953124617764230",
"71457626767536897305977570177194851958",
"328263911792211895285744295868415133198",
"118476312088919142371722359428106872110",
"333817603130987111132605517721006389286"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2024-52979-d54e4993",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidate",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "330410250175392896987158267940458041752",
"length": 860.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-d6570ab0",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testLdapRealmWithTemplatedRoleMapping",
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java"
},
"digest": {
"function_hash": "335769580348371564303430900720843911607",
"length": 2462.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-d8ab68ef",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidateWillFailWhenStoredScriptIsNotFound",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "307761132169791170555494532896444494722",
"length": 830.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-e00685c5",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "execute",
"file": "modules/lang-mustache/src/main/java/org/elasticsearch/script/mustache/MustacheScriptEngine.java"
},
"digest": {
"function_hash": "113004378988032560919429469552194850552",
"length": 410.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-e2118008",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testRealmWithTemplatedRoleMapping",
"file": "x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectoryRealmTests.java"
},
"digest": {
"function_hash": "258889622100346978545772620175505937247",
"length": 1879.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-eef5181a",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testValidationWillFailWhenInlineScriptIsNotEnabled",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/support/mapper/TemplateRoleNameTests.java"
},
"digest": {
"function_hash": "29076598346795565050344845188911097493",
"length": 503.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-f08c2428",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "testDocLevelSecurityTemplateWithOpenIdConnectStyleMetadata",
"file": "x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/support/SecurityQueryTemplateEvaluatorTests.java"
},
"digest": {
"function_hash": "224389385575224432383223227596720385923",
"length": 928.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-f28ae52f",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "init",
"file": "qa/smoke-test-ingest-with-all-dependencies/src/yamlRestTest/java/org/elasticsearch/ingest/AbstractScriptTestCase.java"
},
"digest": {
"function_hash": "273843737499871966987904892349357433357",
"length": 222.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-fa27532d",
"signature_version": "v1"
},
{
"source": "https://github.com/elastic/elasticsearch/commit/f9b6b57d1d0f76e2d14291c04fb50abeb642cfbf",
"target": {
"function": "setup",
"file": "modules/lang-mustache/src/test/java/org/elasticsearch/script/mustache/MustacheScriptEngineTests.java"
},
"digest": {
"function_hash": "98812509945891425352471627426913116626",
"length": 75.0
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2024-52979-fe264b77",
"signature_version": "v1"
}
]