6.8

CVE-2023-49923

EPSS 0.49%
Published 12.12.2023 18:15:23
Last modified 21.11.2024 08:34:00
Source bressers@elastic.co
Teams watchlist Login
Open Login

 An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Elastic ≫ Enterprise Search Version >= 7.0.0 < 7.17.16

Elastic ≫ Enterprise Search Version >= 8.0.0 < 8.11.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.645

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
bressers@elastic.co	6.8	2.3	4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://www.elastic.co/community/security

Vendor Advisory

https://discuss.elastic.co/t/enterprise-search-8-11-2-7-17-16-security-update-esa-2023-31/349181

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2023-49923

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49923

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49923

EUVD