CVE-2024-23449

MEDIUM

Elasticsearch >= 8.4.0 < 8.11.1 - Info Disclosure

Title source: llm

Description

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

References (1)

[Vendor Advisory] https://discuss.elastic.co/t/elasticsearch-8-11-1-security-update-esa-2024-05/356458

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 14.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-248

Status published

Products (2)

elastic/elasticsearch 8.4.0 - 8.11.1

org.elasticsearch/elasticsearch 8.4.0 - 8.11.1Maven

Published Mar 29, 2024

Tracked Since Feb 18, 2026