CVE-2023-49923
MEDIUMElastic Enterprise Search 7.0.0-7.17.16 - Sensitive Information Disclosure in App Search Documents API Logs
Title source: llmDescription
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory
https://discuss.elastic.co/t/enterprise-search-8-11-2-7-17-16-security-update-esa-2023-31/349181
Vendor Advisory
https://www.elastic.co/community/security
Scores
CVSS v3
6.8
EPSS
0.0059
EPSS Percentile
43.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (1)
elastic/enterprise_search
7.0.0 - 7.17.16
Published
Dec 12, 2023
Tracked Since
Feb 18, 2026