Lucene search

Veracode Vulnerability DatabaseVERACODE:44358

HistoryNov 23, 2023 - 7:34 a.m.

Denial Of Service (DoS)

2023-11-2307:34:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

205

elasticsearch

exception handling

ingest pipeline

vulnerability

dos

script processor

elastic node crash

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

elasticsearch is vulnerable to Denial Of Service (DoS). The vulnerability is caused due to a lack of exception handling while calling the simulate pipeline API. The script processor of an ingest pipeline fails to handle malformed scripts. This can lead to an elastic node crash and ultimately deny service to users.

CPENameOperatorVersion
serverle8.10.2
serverle7.17.13
serverle8.10.2
serverle7.17.13

Name	Operator	Version
server	le	8.10.2
server	le	7.17.13
server	le	8.10.2
server	le	7.17.13

References

discuss.elastic.co/t/elasticsearch-7-17-14-8-10-3-security-update-esa-2023-24/347708

github.com/advisories/GHSA-285m-vhfq-xx4h

www.elastic.co/community/security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:44358