CVE-2023-46674: Deserialization of Untrusted Data

December 5, 2023 (updated December 13, 2023)

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

References

discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663
github.com/advisories/GHSA-rv74-m283-5j95
nvd.nist.gov/vuln/detail/CVE-2023-46674

Detect and mitigate CVE-2023-46674 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →