CVE-2023-46674 Vulnerability Details

  /     /     /  

CVE-2023-46674 Metadata Quick Info

CVE Published: 05/12/2023 | CVE Updated: 28/08/2024 | CVE Year: 2023
Source: elastic | Vendor: Elastic | Product: Elasticsearch-Hadoop
Status : PUBLISHED

CVE-2023-46674 Description

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

Metrics

CVSS Version: 3.1 | Base Score: 6 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-502
CWE Name: CWE-502 Deserialization of Untrusted Data
Source: Elastic

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: