Moderate severityNVD Advisory· Published Dec 5, 2023· Updated Aug 28, 2024

Elasticsearch-hadoop Unsafe Deserialization

CVE-2023-46674

Description

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can trigger unsafe Java deserialization via crafted Hadoop or Spark config properties in elasticsearch-hadoop before 7.17.11 and 8.9.0.

Vulnerability

Overview

CVE-2023-46674 is an unsafe deserialization flaw in the elasticsearch-hadoop library, which integrates Elasticsearch with Hadoop and Spark ecosystems. The root cause is that the library deserializes Java objects from Hadoop or Spark configuration properties without proper validation, allowing authenticated users to supply malicious serialized data. [2][3]

Attack

Vector and Prerequisites

An attacker must have authenticated access to the Hadoop or Spark cluster and the ability to modify configuration properties used by elasticsearch-hadoop. The attack is local to the cluster environment (AV:L) and requires high privileges (PR:H) and user interaction (UI:N). [3] The exploitation complexity is high (AC:H), meaning specific conditions are needed to craft a valid malicious payload. [3]

Impact

Successful exploitation could lead to a limited loss of confidentiality (C:L), and a high impact on integrity (I:H) and availability (A:H). [3] An attacker could execute arbitrary code on the cluster nodes within the context of the Elasticsearch-Hadoop job, potentially modifying data or disrupting operations.

Mitigation

Elastic has released fixed versions 7.17.11 and 8.9.0, which resolve the unsafe deserialization issue. [3] Users should upgrade immediately. No workarounds have been published. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch:elasticsearch-hadoopMaven	< 7.17.11	7.17.11
org.elasticsearch:elasticsearch-hadoopMaven	>= 8.0.0, < 8.9.0	8.9.0

Affected products

osv-coords2 versions
pkg:bitnami/elasticsearch pkg:maven/org.elasticsearch/elasticsearch-hadoop
< 7.17.11+ 1 more
- (no CPE)range: < 7.17.11
- (no CPE)range: < 7.17.11
Elastic/Elasticsearch-Hadoopv5
Range: 1.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rv74-m283-5j95ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-46674ghsaADVISORY
discuss.elastic.co/t/elasticsearch-hadoop-7-17-11-8-9-0-security-update-esa-2023-28/348663ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000