CVE-2023-46674

MEDIUM

Elasticsearch < 7.17.11 - Authenticated Remote Code Execution via Unsafe Java Deserialization

Title source: llm

Description

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663

Scores

CVSS v3 6.0

EPSS 0.0006

EPSS Percentile 19.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (2)

elastic/elasticsearch < 7.17.11

org.elasticsearch/elasticsearch-hadoop 0 - 7.17.11Maven

Published Dec 05, 2023

Tracked Since Feb 18, 2026