CVE-2023-49923
MEDIUMElastic Enterprise Search < 7.17.16 - Log Information Exposure
Title source: ruleDescription
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory
https://discuss.elastic.co/t/enterprise-search-8-11-2-7-17-16-security-update-esa-2023-31/349181
Vendor Advisory
https://www.elastic.co/community/security
Scores
CVSS v3
6.8
EPSS
0.0044
EPSS Percentile
63.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (1)
elastic/enterprise_search
7.0.0 - 7.17.16
Published
Dec 12, 2023
Tracked Since
Feb 18, 2026