CVE-2023-31417

Name of the Vulnerable Software and Affected Versions Elasticsearch versions 7.17.13 and 8.9.2

Description Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. However, it was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled, and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. The affected, deprecated APIs include POST / xpack/security/user/{username}, PUT / xpack/security/user/{username}, PUT / xpack/security/user/{username}/ password, POST / xpack/security/user/{username}/ password, PUT / xpack/security/user/ password, POST / xpack/security/user/ password, POST / xpack/security/oauth2/token, DELETE / xpack/security/oauth2/token, and POST / xpack/security/saml/authenticate.

Recommendations For Elasticsearch versions 7.17.13 and 8.9.2, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the use of deprecated APIs, such as those starting with / xpack/security, until a patch is available. Restrict access to the audit log to minimize the risk of exploitation. Avoid using the Accept: application/json; compatible-with=7 header, which allows clients to use deprecated APIs in Elasticsearch 8.0.0 and later.