Impact
Elastic Fleet Server suffers from an Allocation of Resources Without Limits or Throttling flaw, identified as CWE‑770. An attacker can craft a request to the upload endpoint that causes the server to allocate excessive memory, resulting in degraded performance and ultimately making the service unavailable. The primary impact is a denial of service that can affect all users interacting with Fleet Server.
Affected Systems
The vulnerability affects the Elastic Fleet Server product. No specific version range is listed in the data; the issue was reported in the context of recent security updates for Fleet Server.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting limited known exploitation. The attack vector appears to be via the upload endpoint, which is inferred from the description. Because the flaw relies on excessive resource allocation, an attacker does not need elevated privileges, but does need network access to the Fleet Server service. Overall, the risk is moderate with potential for operational disruption if unmitigated.
OpenCVE Enrichment