CVE-2023-46674

MEDIUM severity · CVSS 6 · Insecure deserialization

6CVSS MEDIUM

Summary

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

Impact & exploitability

Attack vectorLocal

Attack complexityHigh

Privileges requiredHigh

User interactionNone

Confidentiality impactLow

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)0%

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

Affected products we track (1)

Elasticsearch

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663Advisory
https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663Advisory