Login Sign Up

CVE-2023-49921

5.2 MEDIUM

📋 TL;DR

This CVE allows sensitive Elasticsearch document contents to be exposed in application logs when Watcher search input is configured with DEBUG logging. Only affects Elasticsearch users who have Watcher enabled with search input watches and DEBUG logging set for relevant loggers.

💻 Affected Systems

Products:
  • Elasticsearch
Versions: Elasticsearch 7.x before 7.17.16, 8.x before 8.11.2
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if Watcher is enabled, search input watches are configured, AND DEBUG logging is set for watcher search input loggers.

📦 What is this software?

Elasticsearch by Elastic

View all CVEs affecting Elasticsearch →

Elasticsearch by Elastic

View all CVEs affecting Elasticsearch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive data from Elasticsearch documents (PII, credentials, proprietary information) is written to log files accessible to unauthorized users.

🟠

Likely Case

Accidental exposure of non-sensitive indexed data in logs accessible to administrators or monitoring systems.

🟢

If Mitigated

No data exposure if DEBUG logging is disabled or patched versions are used.

🌐 Internet-Facing: LOW - This requires specific Watcher configuration and DEBUG logging, not directly exploitable via network.
🏢 Internal Only: MEDIUM - Internal users with log access could potentially view sensitive data if DEBUG logging is enabled.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific configuration conditions and access to log files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Elasticsearch 8.11.2 or 7.17.16

Vendor Advisory: https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179

Restart Required: Yes

Instructions:

1. Download Elasticsearch 8.11.2 or 7.17.16 from elastic.co. 2. Stop Elasticsearch service. 3. Backup data and configuration. 4. Install new version. 5. Restart Elasticsearch service.

🔧 Temporary Workarounds

Disable DEBUG logging for Watcher search input

all

Change logger levels from DEBUG to INFO or higher for watcher search input loggers

Update log4j2.properties: set logger.org.elasticsearch.xpack.watcher.input.search.level = INFO

🧯 If You Can't Patch

  • Ensure DEBUG logging is disabled for all watcher-related loggers
  • Restrict access to Elasticsearch log files to authorized personnel only

🔍 How to Verify

Check if Vulnerable:

Check Elasticsearch version and verify if DEBUG logging is enabled for watcher search input loggers in log configuration.

Check Version:

curl -X GET "localhost:9200" | grep number

Verify Fix Applied:

Verify Elasticsearch version is 8.11.2/7.17.16 or higher and check that search results are not logged at DEBUG level.

📡 Detection & Monitoring

Log Indicators:

  • DEBUG level logs containing 'org.elasticsearch.xpack.watcher.input.search' with document contents

Network Indicators:

  • None - this is a local logging issue

SIEM Query:

source="elasticsearch.logs" AND log_level="DEBUG" AND (logger="org.elasticsearch.xpack.watcher.input.search" OR logger="org.elasticsearch.xpack.watcher.input")

📊 Metadata

CVE ID: CVE-2023-49921
CVSS v3 Score: 5.2 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-532
Published: July 26, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49921, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)