Elasticsearch Denial of Service (DoS) issue (ESA-2023-10)
This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured.
A denial of service vulnerability was discovered in Elasticsearch that could lead to the service becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way.
Affected Versions:
Elasticsearch Versions after 7.2.0 and before 7.17.11, and versions after 8.0.0 and before 8.8.2
Solutions and Mitigations:
The issue has been resolved in versions 8.8.2 and 7.17.11
CVSSv3: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2023-1370