CVE-2023-46674
published 2023-12-05CVE-2023-46674: An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by…
PriorityP339high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.24%
15.3th percentile
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | < 7.17.11 | 7.17.11 |
| elastic | elasticsearch | >= 8.0.0 < 8.9.0 | 8.9.0 |
| elastic | elasticsearch-hadoop | >= 1.3.0 < 7.17.11 | 7.17.11 |
| elastic | elasticsearch-hadoop | >= 8.0.0 < 8.9.0 | 8.9.0 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Elasticsearch-hadoop Unsafe Deserialization
osv·2023-12-05
CVE-2023-46674 [MEDIUM] Elasticsearch-hadoop Unsafe Deserialization
Elasticsearch-hadoop Unsafe Deserialization
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
GHSA
Elasticsearch-hadoop Unsafe Deserialization
ghsa·2023-12-05
CVE-2023-46674 [MEDIUM] CWE-502 Elasticsearch-hadoop Unsafe Deserialization
Elasticsearch-hadoop Unsafe Deserialization
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
Red Hat
elasticsearch-hadoop: unsafe deserialization of java objects
vendor_redhat·2023-12-05·CVSS 6.0
CVE-2023-46674 [MEDIUM] CWE-502 elasticsearch-hadoop: unsafe deserialization of java objects
elasticsearch-hadoop: unsafe deserialization of java objects
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
A flaw was found in elasticsearch-hadoop that allowed the unsafe deserialization of Java objects from Hadoop or spark configuration properties that could have been modified by authenticated users. Unsafe deserialization may impact integrity by allowing an attacker to modify unexpected objects or data assumed safe from modification.
Package: org.elasticsearch-elasticsearch (Logging Subsystem for Red Hat OpenShift) - Not affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-12-05
Published