maven/org.elasticsearch/elasticsearch/CVE-2024-23449.yml

+---
+identifier: "CVE-2024-23449"
+identifiers:
+- "CVE-2024-23449"
+- "GHSA-pw39-f3m5-cxfc"
+package_slug: "maven/org.elasticsearch/elasticsearch"
+title: "Elasticsearch Uncaught Exception leading to crash"
+description: "An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs
+  when an encrypted PDF is passed to an attachment processor through the REST API.
+  The Elasticsearch ingest node that attempts to parse the PDF file will crash. This
+  does not happen with password-protected PDF files or with unencrypted PDF files."
+date: "2024-03-29"
+pubdate: "2024-03-29"
+affected_range: "[8.4.0,8.11.1)"
+fixed_versions:
+- "8.11.1"
+affected_versions: "All versions starting from 8.4.0 before 8.11.1"
+not_impacted: "All versions before 8.4.0, all versions starting from 8.11.1"
+solution: "Upgrade to version 8.11.1 or above."
+urls:
+- "https://nvd.nist.gov/vuln/detail/CVE-2024-23449"
+- "https://github.com/advisories/GHSA-pw39-f3m5-cxfc"
+- "https://discuss.elastic.co/t/elasticsearch-8-11-1-security-update-esa-2024-05/356458"
+- "https://github.com/elastic/elasticsearch"
+cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+uuid: "5df4bfc8-3cf9-4060-960a-c005fe98d762"
+cwe_ids:
+- "CWE-248"
+- "CWE-937"
+- "CWE-1035"