cbcvebase.
CVE-2023-31419
published 2023-10-26

CVE-2023-31419: A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a…

PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
60.68%
99.0th percentile
A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

Affected

4 ranges
VendorProductVersion rangeFixed in
elasticelasticsearch>= 7.0.0 < 7.17.127.17.12
elasticelasticsearch7.0.0 – 7.17.12
elasticelasticsearch>= 8.0.0 < 8.9.08.9.0
elasticelasticsearch8.0.0 – 8.9.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:9200/*/_search
path/_search
port9200
  • Monitor for high-volume repeated GET requests to /<index>/_search (especially using wildcard index '*') with large JSON bodies containing the 'match' query on 'message' field, as the exploit loops 100 queries with a ~45MB+ payload each.
  • Alert on Elasticsearch Stack Overflow errors or JVM stack overflow exceptions triggered via the _search API, which indicate successful triggering of the DoS condition.
  • ·The exploit uses default Elasticsearch credentials (elastic/changeme) and targets port 9200. Deployments that have changed default credentials or restricted network access to port 9200 reduce exposure, but the vulnerability itself is in query parsing and is not credential-dependent.
  • ·SSL verification is disabled in the PoC exploit, suggesting the attacker may target HTTP (non-TLS) Elasticsearch endpoints. Environments enforcing TLS with valid certificates may not be targeted by this specific PoC but remain vulnerable to the underlying flaw.
  • ·The exploit was tested against Elasticsearch version 8.5.3 and OpenSearch on Ubuntu 20.04 LTS. Other versions may also be affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.