GHSA-pw39-f3m5-cxfc

Source

https://github.com/advisories/GHSA-pw39-f3m5-cxfc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-pw39-f3m5-cxfc/GHSA-pw39-f3m5-cxfc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pw39-f3m5-cxfc

Aliases

BIT-elasticsearch-2024-23449
CVE-2024-23449

Published

2024-03-29T12:30:42Z

Modified

2024-05-19T02:24:02.618925Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Elasticsearch Uncaught Exception leading to crash

Details

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

Database specific

{
    "nvd_published_at": "2024-03-29T12:15:08Z",
    "cwe_ids": [
        "CWE-248"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T15:58:06Z"
}

References

Affected packages

Maven / org.elasticsearch:elasticsearch

Package

Name: org.elasticsearch:elasticsearch; View open source insights on deps.dev
Purl: pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.4.0

Fixed

8.11.1

Affected versions

8.*

8.4.0

8.4.1

8.4.2

8.4.3

8.5.0

8.5.1

8.5.2

8.5.3

8.6.0

8.6.1

8.6.2

8.7.0

8.7.1

8.8.0

8.8.1

8.8.2

8.9.0

8.9.1

8.9.2

8.10.0

8.10.1

8.10.2

8.10.3

8.10.4

8.11.0