⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2023-31418Uncontrolled Resource Consumption in Elasticsearch

CWE-400Uncontrolled Resource Consumption8 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 25.37%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Elastic ElasticsearchElastic Cloud Enterprise
Timeline
PublishedOct 26

Description

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5elastic/elasticsearch8.0.08.8.2+2
NVDelastic/elasticsearch8.0.08.8.2+1

🔴Vulnerability Details

6
OSV
Elasticsearch vulnerable to Uncontrolled Resource Consumption2023-10-26
GHSA
Elasticsearch vulnerable to Uncontrolled Resource Consumption2023-10-26
OSV
CVE-2023-31418: An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer2023-10-26
CVEList
Elasticsearch uncontrolled resource consumption2023-10-26
OSV
OpenSearch uncontrolled resource consumption2023-10-17

📋Vendor Advisories

1
Red Hat
elasticsearch: uncontrolled resource consumption2023-10-26
CVE-2023-31418 — Uncontrolled Resource Consumption | cvebase