Moderate severityNVD Advisory· Published Nov 22, 2023· Updated Aug 2, 2024

CVE-2023-46673

Description

It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Malformed scripts in Elasticsearch Ingest Pipeline’s script processor can crash a node when using the Simulate Pipeline API, leading to denial of service.

Root

Cause

The vulnerability resides in the script processor of an Ingest Pipeline. A malformed script, when processed by the Simulate Pipeline API, triggers an improper handling of exceptional conditions, resulting in a node crash [4].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the Elasticsearch cluster and be able to call the Simulate Pipeline API with a crafted pipeline containing a malformed script. No special privileges beyond the ability to create or simulate pipelines are required [4].

Impact

Successful exploitation causes the target Elasticsearch node to crash, leading to a denial of service. This can disrupt availability of the cluster, especially if multiple nodes are affected or if the node holds critical roles. The crash does not lead to data loss or confidentiality breach [4].

Mitigation

The issue is resolved in Elasticsearch versions 7.17.14 and 8.10.3. Users running versions between 7.0.0 and 7.17.14, or between 8.0.0 and 8.10.3, should upgrade immediately. No workarounds have been published [4].

References

Elasticsearch 7.17.14 / 8.10.3 Security Update (ESA-2023-24)

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch:elasticsearchMaven	>= 7.0.0, < 7.17.14	7.17.14
org.elasticsearch:elasticsearchMaven	>= 8.0.0, < 8.10.3	8.10.3

Affected products

osv-coords2 versions
pkg:bitnami/elasticsearch pkg:maven/org.elasticsearch/elasticsearch
>= 7.0.0, < 7.17.14+ 1 more
- (no CPE)range: >= 7.0.0, < 7.17.14
- (no CPE)range: >= 7.0.0, < 7.17.14
Elastic/Elasticsearchv5
Range: 7.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-285m-vhfq-xx4hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-46673ghsaADVISORY
discuss.elastic.co/t/elasticsearch-7-17-14-8-10-3-security-update-esa-2023-24/347708ghsaWEB
www.elastic.co/community/securityghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000