CVE-2024-23449 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=8.4.0 <8.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0012 pctl0.31686

Details

Elasticsearch Uncaught Exception leading to crash An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

Metadata

Created: 2024-03-29T12:30:42Z
Modified: 2025-05-27T17:50:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-pw39-f3m5-cxfc/GHSA-pw39-f3m5-cxfc.json
CWE IDs: ["CWE-248"]
Alternative ID: GHSA-pw39-f3m5-cxfc
Finding: F140
Auto approve: 1