CVE-2023-46674

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46674

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46674.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-46674

Aliases

Published

2023-12-05T18:15:12Z

Modified

2025-02-14T11:51:42.816155Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

References

https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eeedb98c60326ea3d46caef960fb4c77958fb885

Affected versions

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.19.0.RC1

v0.19.0.RC2

v0.19.0.RC3

v0.20.0.RC1

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.90.0

v0.90.0.Beta1

v0.90.0.RC1

v0.90.0.RC2

v1.*

v1.0.0.Beta1

v1.0.0.Beta2

v1.0.0.RC1

v5.*

v5.0.0-alpha1

v5.0.0-alpha2

v5.0.0-alpha3

v5.0.0-alpha4

v5.0.0-alpha5

v6.*

v6.0.0-alpha1

v6.0.0-alpha2

v7.*

v7.0.0-alpha1

v7.0.0-alpha2

v7.16.0

v7.16.1

v7.17.0

v7.17.1

v7.17.10

v7.17.2

v7.17.3

v7.17.4

v7.17.5

v7.17.6

v7.17.7

v7.17.8

v7.17.9