Impact of CVE-2024-23450 affecting Elasticsearch on Enterprise Vault, Compliance Accelerator and Discovery Accelerator

Article: 100074203
Last Published: 2025-04-18
Ratings: 0 0
Product(s): Enterprise Vault

Description

CVE-2024-23450: Elasticsearch Uncontrolled Resource Consumption vulnerability

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
https://nvd.nist.gov/vuln/detail/cve-2024-23450


Affected Versions

- Elasticsearch versions on or after 7.0.0 and before 7.17.19
- Elasticsearch versions on or after 8.0.0 and before 8.13.0


CVSS 3.x Severity and Vector Strings

- NIST: NVD
- Base Score: 7.5 HIGH
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CNA: Elastic
- Base Score: 4.9 MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H


Impact

The back-end infrastructure of Elasticsearch in context with Enterprise Vault is not impacted by this vulnerability, as Enterprise Vault does not use the approach/method mentioned in the vulnerability statement.Certain components of Elasticsearch may be present on the Compliance Accelerator/Discovery Accelerator servers due to the prerequisite of needing the Enterprise Vault API/binaries installed. However, Compliance Accelerator and Discovery Accelerator do not use Elasticsearch.


Mitigation

As Enterprise Vault is not affected, no mitigation or resolution is required.
As Compliance Accelerator and Discovery Accelerator are not affected, no mitigation or resolution is required.


Questions

For questions or problems regarding these vulnerabilities please contact Technical Support.


Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC AND/OR ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

 

References

JIRA : CFT-7189

Was this content helpful?