Описание
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
A flaw was found in Elasticsearch. An authenticated user, with snapshot restore privileges, can cause an excessive memory allocation via a crafted HTTP request, resulting in a denial of service.
Отчет
This issue can only be exploited by an authenticated user with snapshot restore privileges, limiting the scope to legitimate users of Elasticsearch. Additionally, the only security impact of this flaw is a denial of service due to excessive memory allocation. Due to these reasons, this vulnerability has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this issue, make sure that only necessary and trusted users have authentication credentials to the Elasticsearch instance with snapshot restore privileges, limiting the ability of malicious users to potentially exploit this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | elasticsearch-core | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-operator-bundle | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | x-pack-core | Fix deferred | ||
| Red Hat Fuse 7 | elasticsearch-core | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 7 | elasticsearch-core | Fix deferred |
Показывать по
Дополнительная информация
Статус:
4.9 Medium
CVSS3
Связанные уязвимости
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Allocation of Resources Without Limits or Throttling (CWE-770) in Elas ...
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation
4.9 Medium
CVSS3