{"id":"CVE-2023-46674","details":"An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.\n","aliases":["BIT-elasticsearch-2023-46674","GHSA-rv74-m283-5j95"],"modified":"2026-03-14T12:16:19.018586Z","published":"2023-12-05T18:15:12.380Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"0"},{"fixed":"eeedb98c60326ea3d46caef960fb4c77958fb885"},{"introduced":"1b6a7ece17463df5ff54a3e1302d825889aa1161"},{"fixed":"8aa461beb06aa0417a231c345a1b8c38fb498a0d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.17.11"},{"introduced":"8.0.0"},{"fixed":"8.9.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46674.json","vanir_signatures":[{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"onTimeout"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-00b60f12","digest":{"function_hash":"195314418732590965725354939268817579205","length":146},"deprecated":false},{"signature_version":"v1","target":{"file":"test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Line","id":"CVE-2023-46674-1fcd1189","digest":{"threshold":0.9,"line_hashes":["72919630592977237663209319849732164030","76521704441938352809301473684295330845","124458734046809073615339615971646274886","321749277967783123123457744423093369730","175850804632224147493936443727535696380","237549774618073494858982752873371504083"]},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Line","id":"CVE-2023-46674-223c0843","digest":{"threshold":0.9,"line_hashes":["56791242155093561440754699602922802063","261002487472452097014701103809481193688","131109347992471159654270056055145833752","200639234132288226145088513276953965744","118144831024639135110189422974861107720","49228099443258558065858014399502429883","332655758020155813577638580485534686222","50857803150426839998908215835687639859","9710934947692630851600506182509812794","261787511866824544682895646213160639705","138517509961337130602196253545969058444","83284010603283708117438542575482424499","252373522145478016671270831998752437145","29417468945941655047622863672209128699","134887005680684580258951937946097390009","252325744817033799572496302693953803381","115017370080193467773943149914753944287","133315093242997616180862281313760892292","250174102855802112237270414457094914462","79619246098129804658569676333445292211","170856146567546713655710523842388127258","280604442437447202326689227915262606469","306169521098725066678971626983308575877","255768783269049914993966125051285606153","279721738404654630088762664660771861779","9330857611041896104743163708895038967","317031562538723450911348523861752655360","291737255659935875044156657605589427581","152876530606824319058564406881651525873","189690571896281131665909864682342051169","252373522145478016671270831998752437145","29417468945941655047622863672209128699","150738123829663981359559271010135400458","174429120606179256651310121863042438535","236499039190247627118385630810098915580","99223937815377541922460579034618562913","261079973588162300552612080204985420492","28982179535067085260083809830357673720","269834952737609041459494327692111641055","61829953791553753312764281980827412620","147593838403989757216204519467444835098","26006940858579834303784044285585845270","174429120606179256651310121863042438535","236499039190247627118385630810098915580","99223937815377541922460579034618562913","48956484780317145337141651138969251221","335397234988027252993975712824283643788","230462371882826048929992659845578938083","245563151387423410868264956493634104762","66676620923698487146619495888101120651","149561838611573326343249976252002800643","340164350631336426281487343802411569688","315095244973568168306019278635749506103","196362540107866293572036416324123498704","301977193879913377737314641927580065791","206412894707251671972404443318711960731","113172224004610473791190451878753397468","218386213339092563183584669644162101539","42218117717251629638485709362637725545","335532789415988750949877313392884914810","65119227745230250479432900347936903516","78720146323125882174786020939685571404","126451541553889899618033324826149080818","249314992251646842246419365227856662758","32579291432328381625633489416327458322","295473812150833999708077697971903977411","28934871723297847993530655881412687601","6741051929551579546799510754391045069","295702132223144576940569905118859961445","139825107054965911633633869372380447272","162607652827565910634421011952386061093","192426317259820270862785836111341523480","178849378794461678186689278169579448859","197835779518925172303823966988342437391","332473788036589095699928315267305083110","113152760493303842239299050364344672790","290448987826253346555777498971856053843","257824889015565095000021337625303271427","263794231146895215138690304629306737234","297154916609590641782548178578456068115","130690306339408808008468155129358475444","182963491303127398199413243024519850192","175712956875941503122639889853921918135","301008993903053316247719074910181490375","217361182337667429294877899192703188469","154542945416712978382397838233270084410","90632734748478038911158952026282242097","90863667821100717170532126586642156710","171883460725082841485319997284438119050","131087270771501167148896705408115395898","271515030087108423566002942475295187804"]},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"waitForEventsAndExecuteHealth"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-28aa27dd","digest":{"function_hash":"175726788085796966782629847738595060846","length":2701},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"masterOperation"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-292ae87b","digest":{"function_hash":"132937421475890902392174792251740618521","length":455},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/test/java/org/elasticsearch/cluster/health/ClusterStateHealthTests.java","function":"testClusterHealthWaitsForClusterStateApplication"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-3c9ccc52","digest":{"function_hash":"251562323171333253086246984592288882272","length":1480},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterHealthAction.java"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Line","id":"CVE-2023-46674-4b3774a4","digest":{"threshold":0.9,"line_hashes":["155962608250304230763121350031407172164","242717823275861031067029802018847323086","307757298760905004822740541074250385852","162899303504247520377413025632430404562","178485864041491068476686119065062008533","15274643139537649001307426591691674992","5098805821060262379383626982216813773","248608060240417453632379199807008690718"]},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterHealthAction.java","function":"prepareRequest"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-5bda2207","digest":{"function_hash":"211245911209175656390143185205842156867","length":244},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"clusterStateProcessed"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-6da398ca","digest":{"function_hash":"5404235771998888714081072981406497139","length":536},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/test/java/org/elasticsearch/cluster/health/ClusterStateHealthTests.java"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Line","id":"CVE-2023-46674-6f4b9c58","digest":{"threshold":0.9,"line_hashes":["180711593914136683470271172114839299871","42196855722912047301929948827606393857","49919856636442879718633512225542789782","106424972879072071405689693783180951279","207775338532262093297481938210699369834","211288110628335819010801587018502326854","177488638003365188078098354067096729753","181022521802483312386937311454532743130","162958714978688031415971742650611826044","92807347980513346755242221861534215116","207006766408926886605710327214752179240","140707279872837144279965293733056036369","50583490959650044458984761833790113674","176644145481638765898600468899354693926","252621993473906174156296812833336622442","140575960612630349444267340585258434765"]},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"onFailure"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-a03f6dd3","digest":{"function_hash":"6474068417774092020634181732763771862","length":338},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/ClusterHealthRequest.java"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Line","id":"CVE-2023-46674-c92be6ae","digest":{"threshold":0.9,"line_hashes":["25305633625658196018831241284855580218","169651598616811474482466104901414717818","289456362489181746088668429790502886300","287417607446545462087396542818238113508","97671628464759580500551447523687287125","234916791305774367641869177000256360774","9196050395012555782273868136664546074","138830480758109085374865192511230789358"]},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"clusterStateProcessed"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-ced2ca53","digest":{"function_hash":"228981500300247243571845585931063640017","length":395},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"getResponse"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-dc23d544","digest":{"function_hash":"3103055835509618735414406246996403859","length":483},"deprecated":false},{"signature_version":"v1","target":{"file":"server/src/main/java/org/elasticsearch/action/admin/cluster/health/TransportClusterHealthAction.java","function":"executeHealth"},"source":"https://github.com/elastic/elasticsearch/commit/eeedb98c60326ea3d46caef960fb4c77958fb885","signature_type":"Function","id":"CVE-2023-46674-f37c4a92","digest":{"function_hash":"97289872469176408882290985059139290681","length":1060},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}