Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-46674

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

Published

2023-12-05T18:15:12.380

Last Modified

2024-11-21T08:29:02.453

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.0 (MEDIUM)

Weaknesses

Type: Secondary
CWE-502
Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	elasticsearch	< 7.17.11	Yes
Application	elastic	elasticsearch	< 8.9.0	Yes

References

https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663 Vendor Advisory ([email protected])
https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)