Home » Database

AVID-2026-R1286

Description

Elasticsearch-hadoop Unsafe Deserialization (CVE-2023-46674)

Details

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.

Reason for inclusion in AVID: CVE-2023-46674 describes an unsafe deserialization vulnerability in Elasticsearch-Hadoop, a component used to bridge Hadoop/Spark data processing with Elasticsearch. This component is commonly used in AI data pipelines (data ingestion, feature pipelines, and model-serving stack support) within general-purpose AI systems. As a software vulnerability in a dependency used to build/run AI workflows, it directly concerns the AI software supply chain. It is a CWE-502 deserialization issue with potential integrity/availability impact, and the report provides sufficient evidence (CVSS, CWE, references).

References

Affected or Relevant Artifacts

  • Developer: Elastic
  • Deployer: Elastic
  • Artifact Details:
TypeName
SystemElasticsearch-Hadoop

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
Base Score6.0
Base Severity🟠 Medium
Attack VectorLOCAL
Attack Complexity🔴 High
Privileges Required🔴 High
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🟢 Low
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-502CWE-502 Deserialization of Untrusted Data

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2023-12-05
  • Version: 0.3.3
  • AVID Entry