Primary

Context

Elasticsearch Uncontrolled Resource Consumption Vulnerability Allowing Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Elasticsearch versions 7.17.0 prior to 8.15.0. The issue arises from excessive recursion in the 'innerForbidCircularReferences' function of the 'PatternBank' class, which can lead to crashes of the Elasticsearch node. Exploitation of this vulnerability requires a malicious user to have the 'read_pipeline' privilege on the Elasticsearch cluster.

Impact

Exploitation of this vulnerability can cause the Elasticsearch node to crash, leading to a denial-of-service condition.

Remediation

Users should upgrade to Elasticsearch version 8.15.1 or higher. For those unable to upgrade, remove the 'read_pipeline' privilege from affected users.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Elasticsearch Uncontrolled Resource Consumption Vulnerability Allowing Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Elastic Elasticsearch

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating