Elastic unsafe deserialization via Hadoop/Spark config
CVE-2023-46674 Published on December 5, 2023
Elasticsearch-hadoop Unsafe Deserialization
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
Vulnerability Analysis
CVE-2023-46674 is exploitable with local system access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity and availability.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2023-46674 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2023-46674
Want to know whenever a new CVE is published for Elasticsearch? stack.watch will email you.
Affected Versions
Elasticsearch-Hadoop:- Version 1.3.0 and below 7.17.11 is affected.
- Version 8.0.0 and below 8.9.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.