CVE-2024-23449 — Elasticsearch Uncaught Exception leading to crash

Description

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.

How to fix CVE-2024-23449

To remediate CVE-2024-23449, upgrade the affected package to a fixed version below.

—upgrade to 8.11.1 or later
—upgrade to 8.11.1 or later

Is CVE-2024-23449 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 8.4.0, < 8.11.1
>= 8.4.0, < 8.11.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-23449
PATCHgithub.com/elastic/elasticsearch
WEBdiscuss.elastic.co/t/elasticsearch-8-11-1-security-update-esa-2024-05/356458
WEBgithub.com/elastic/elasticsearch/commit/a59180459a3cb30b71399d778943cab4ac2191c4