CVE-2024-23449: Elasticsearch Uncaught Exception leading to crash

March 29, 2024

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

References

discuss.elastic.co/t/elasticsearch-8-11-1-security-update-esa-2024-05/356458
github.com/advisories/GHSA-pw39-f3m5-cxfc
github.com/elastic/elasticsearch
nvd.nist.gov/vuln/detail/CVE-2024-23449

Code Behaviors & Features

Detect and mitigate CVE-2024-23449 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →