CVE-2023-31417
information disclosure vulnerability in elasticsearch (Maven)
What is CVE-2023-31417 About?
This flaw in Elasticsearch can lead to sensitive information disclosure by printing passwords and tokens in cleartext to audit logs. It occurs when using specific deprecated URIs for APIs, as filtering mechanisms are not applied. Exploitation is dependent on audit logging being enabled and deprecated URIs being accessed.
Affected Software
- org.elasticsearch:elasticsearch
- >7.0.0, <7.17.13
- >8.0.0, <8.9.2
Technical Details
Elasticsearch generally filters sensitive data before logging it to audit logs. However, this filtering mechanism fails to apply when requests are made to Elasticsearch using certain deprecated URIs that were part of _xpack/security APIs. These deprecated APIs, though removed in 8.0.0+, can still be accessed in version 8.0.0+ with a specific Accept header (Accept: application/json; compatible-with=7). When requests containing sensitive information like passwords or tokens are sent to these deprecated URIs, and if audit logging is explicitly enabled and configured to log request bodies, the sensitive data bypasses the filtering and is written in cleartext to the audit logs, leading to information disclosure.
What is the Impact of CVE-2023-31417?
Successful exploitation may allow attackers to gain access to sensitive information such as user passwords and access tokens from Elasticsearch audit logs, leading to account compromise or further unauthorized access.
What is the Exploitability of CVE-2023-31417?
Exploitation requires an authenticated user or an attacker who can make requests to Elasticsearch. The complexity is moderate, as it involves targeting specific deprecated API URIs and ensuring that the Elasticsearch instance has audit logging enabled and configured to log request bodies. This is a remote vulnerability, but it relies on misconfiguration (enabled audit logging and logging request bodies containing sensitive data) and the use of deprecated APIs. The risk is heightened in environments where older client applications or scripts are still making requests to these deprecated URIs and audit logs are extensively maintained and accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-31417?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- >7.0.0, <7.17.13 → Upgrade to 7.17.13
- org.elasticsearch:elasticsearch
- >8.0.0, <8.9.2 → Upgrade to 8.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479
- https://www.elastic.co/community/security
- https://security.netapp.com/advisory/ntap-20231130-0006
- https://discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479
- https://www.elastic.co/community/security
- https://osv.dev/vulnerability/GHSA-99pc-69q9-jxf2
- https://nvd.nist.gov/vuln/detail/CVE-2023-31417
- https://security.netapp.com/advisory/ntap-20231130-0006/
What are Similar Vulnerabilities to CVE-2023-31417?
Similar Vulnerabilities: CVE-2021-21398 , CVE-2020-13936 , CVE-2022-22967 , CVE-2019-10247 , CVE-2022-25845
