CVE-2023-49921
Information Disclosure vulnerability in elasticsearch (Maven)
What is CVE-2023-49921 About?
This issue in Elastic Watcher allows search query results, including raw document contents, to be logged at DEBUG level. It poses a risk of sensitive data exposure in logs for specific Watcher configurations. Exploitation requires Watcher usage and a DEBUG log level.
Affected Software
- org.elasticsearch:elasticsearch
- <7.17.16
- >8.0.0, <8.11.2
Technical Details
The vulnerability occurs within Elastic's Watcher component, specifically when a Watch's search input is configured. If the search input's logger, or any hierarchical parent logger, is set to 'DEBUG' or a finer level (e.g., 'org.elasticsearch.xpack.watcher.input.search'), the system inadvertently logs the full search query results. This includes the raw contents of documents stored in Elasticsearch. This excessive logging can lead to the exposure of potentially sensitive data within the log files, which could then be accessed by anyone with sufficient privileges to read those logs.
What is the Impact of CVE-2023-49921?
Successful exploitation may allow attackers to access sensitive information, including raw document contents, by reviewing verbose log files, potentially leading to data breaches or further attacks.
What is the Exploitability of CVE-2023-49921?
Exploitation complexity is low to moderate. It requires specific environmental prerequisites: the use of Elastic Watcher, a Watch defined with a search input, and the associated logger level (e.g., 'org.elasticsearch.xpack.watcher.input.search') set to DEBUG or finer. No direct authentication or privilege escalation is typically needed for triggering the logging itself, but access to the logs (which might require local access or specific log management system access) is necessary to exploit the information disclosure. This is an internal configuration issue rather than a remote attack vector. The primary risk factor is misconfiguration of logging levels in a production environment, leading to unintentional exposure of sensitive data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49921?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <7.17.16 → Upgrade to 7.17.16
- org.elasticsearch:elasticsearch
- >8.0.0, <8.11.2 → Upgrade to 8.11.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179
- https://osv.dev/vulnerability/GHSA-2hjr-vmf3-xwvp
- https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179
- https://nvd.nist.gov/vuln/detail/CVE-2023-49921
- https://github.com/elastic/elasticsearch
What are Similar Vulnerabilities to CVE-2023-49921?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-44487 , CVE-2023-37659 , CVE-2022-4881 , CVE-2021-43818
