Sign in Sign up
Explore Enterprise Education Gitee Premium Gitee AI Gitee AI
Scan WeChat QR to Pay
Cancel
Complete
Watch
Unwatch Watching Releases Only Ignoring
6 Star 0 Fork 5

src-openEuler/python-elasticsearch7

Code Issues 7 Pull Requests 0 Wiki Insights Pipelines
Service

CVE-2023-49921

已挂起
CVE和安全问题
openeuler-ci-bot
owner
Opened this issue  
2024-12-12 00:46

一、漏洞信息
漏洞编号:CVE-2023-49921
漏洞归属组件:python-elasticsearch7
漏洞归属的版本:7.17.9
CVSS V3.0分值:
BaseScore:6.5 Medium
Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞简述:
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.
漏洞公开时间:2024-07-26 13:15:10
漏洞创建时间:2024-12-12 00:46:31
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2023-49921

更多参考(点击展开)
参考来源 参考链接 来源链接
bressers.elastic.co https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179
redhat_bugzilla https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179 https://bugzilla.redhat.com/show_bug.cgi?id=2254251
ubuntu https://www.cve.org/CVERecord?id=CVE-2023-49921 https://ubuntu.com/security/CVE-2023-49921
ubuntu https://nvd.nist.gov/vuln/detail/CVE-2023-49921 https://ubuntu.com/security/CVE-2023-49921
ubuntu https://launchpad.net/bugs/cve/CVE-2023-49921 https://ubuntu.com/security/CVE-2023-49921
ubuntu https://security-tracker.debian.org/tracker/CVE-2023-49921 https://ubuntu.com/security/CVE-2023-49921
debian https://security-tracker.debian.org/tracker/CVE-2023-49921
github_advisory https://nvd.nist.gov/vuln/detail/CVE-2023-49921 https://github.com/advisories/GHSA-2hjr-vmf3-xwvp
github_advisory https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179 https://github.com/advisories/GHSA-2hjr-vmf3-xwvp
snyk https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179 https://security.snyk.io/vuln/SNYK-JAVA-ORGELASTICSEARCH-6125580
snyk https://github.com/elastic/elasticsearch/commit/07996e811541cd2f054894948a3b471678f64402 https://security.snyk.io/vuln/SNYK-JAVA-ORGELASTICSEARCH-6125580

漏洞分析指导链接:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息:

详情(点击展开)
影响的包 修复版本 修复补丁 问题引入补丁 来源
https://github.com/elastic/elasticsearch/commit/07996e811541cd2f054894948a3b471678f64402 snyk
https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179 nvd

二、漏洞分析结构反馈
影响性分析说明:
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.
openEuler评分:
6.5
Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
受影响版本排查(受影响/不受影响):
1.master(7.17.12):受影响
2.openEuler-20.03-LTS-SP4(7.17.4):受影响
3.openEuler-22.03-LTS-SP3(7.10.1):受影响
4.openEuler-22.03-LTS-SP4(7.10.1):受影响
5.openEuler-24.03-LTS(7.17.4):受影响
6.openEuler-24.03-LTS-Next(7.17.4):受影响
7.openEuler-24.03-LTS-SP1(7.17.4):受影响
8.openEuler-24.03-LTS-SP2(7.17.4):

修复是否涉及abi变化(是/否):
1.master(7.17.12):否
2.openEuler-20.03-LTS-SP4(7.17.4):否
3.openEuler-22.03-LTS-SP3(7.10.1):否
4.openEuler-22.03-LTS-SP4(7.10.1):否
5.openEuler-24.03-LTS(7.17.4):否
6.openEuler-24.03-LTS-Next(7.17.4):否
7.openEuler-24.03-LTS-SP1(7.17.4):否
8.openEuler-24.03-LTS-SP2(7.17.4):

原因说明:
1.master(7.17.12):暂不修复-待升级版本修复
2.openEuler-20.03-LTS-SP4(7.17.4):暂不修复-待升级版本修复
3.openEuler-22.03-LTS-SP3(7.10.1):暂不修复-待升级版本修复
4.openEuler-22.03-LTS-SP4(7.10.1):暂不修复-待升级版本修复
5.openEuler-24.03-LTS(7.17.4):暂不修复-待升级版本修复
6.openEuler-24.03-LTS-Next(7.17.4):暂不修复-待升级版本修复
7.openEuler-24.03-LTS-SP1(7.17.4):暂不修复-待升级版本修复
8.openEuler-24.03-LTS-SP2(7.17.4):

Comments (4)

5329419 openeuler ci bot 1632792936
openeuler-ci-bot createdCVE和安全问题 6 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
CVE/UNFIXED
label 6 months ago
Expand operation logs
5329419 openeuler ci bot 1632792936
openeuler-ci-bot added
 
sig/sig-EasyLife
label 6 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set start time to 2024-12-12 6 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set deadline to 2025-01-11 6 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot set priority to Secondary 6 months ago

影响性分析说明:
An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.

openEuler评分:
6.5
Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

受影响版本排查(受影响/不受影响):
1.master: 受影响
2.openEuler-20.03-LTS-SP4: 受影响
3.openEuler-22.03-LTS-SP3: 受影响
4.openEuler-22.03-LTS-SP4: 受影响
5.openEuler-24.03-LTS: 受影响
6.openEuler-24.03-LTS-Next: 受影响
7.openEuler-24.03-LTS-SP1: 受影响

修复是否涉及abi变化(是/否):
1.master: 否
2.openEuler-20.03-LTS-SP4: 否
3.openEuler-22.03-LTS-SP3: 否
4.openEuler-22.03-LTS-SP4: 否
5.openEuler-24.03-LTS: 否
6.openEuler-24.03-LTS-Next: 否
7.openEuler-24.03-LTS-SP1: 否

原因说明:
1.master: 暂不修复-待升级版本修复
2.openEuler-20.03-LTS-SP4: 暂不修复-待升级版本修复
3.openEuler-22.03-LTS-SP3: 暂不修复-待升级版本修复
4.openEuler-22.03-LTS-SP4: 暂不修复-待升级版本修复
5.openEuler-24.03-LTS: 暂不修复-待升级版本修复
6.openEuler-24.03-LTS-Next: 暂不修复-待升级版本修复
7.openEuler-24.03-LTS-SP1: 暂不修复-待升级版本修复
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description 2 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed issue state from 待办的 to 已挂起 2 months ago
5329419 openeuler ci bot 1632792936
openeuler-ci-bot changed description a month ago

Sign in to comment

Status
Assignees
Labels
CVE/UNFIXED
sig/sig-EasyLife
Projects
Unprojected
Unprojected
Milestones
No related milestones
No related milestones
Pull Requests
None yet
None yet
Successfully merging a pull request will close this issue.
Branches
No related branch
Branches (21)
Tags (17)
master
openEuler-25.03
openEuler-24.09
openEuler-20.03-LTS-Next
openEuler-20.03-LTS-SP3
openEuler-20.03-LTS-SP4
openEuler-23.03
openEuler-23.09
openEuler-24.03-LTS
openEuler-24.03-LTS-Next
openEuler-24.03-LTS-SP1
openEuler-24.03-LTS-SP2
openEuler-22.09
openEuler-21.03
openEuler-21.09
openEuler-22.03-LTS
openEuler-22.03-LTS-Next
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP2
openEuler-22.03-LTS-SP3
openEuler-22.03-LTS-SP4
openEuler-25.03-release
openEuler-24.03-LTS-SP1-release
openEuler-22.03-LTS-SP4-release
openEuler-24.09-release
openEuler-24.03-LTS-release
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-21.03-20210330
Planed to start   -   Planed to end
-
Top level
Not Top
Not Top
Top Level: High
Top Level: Medium
Top Level: Low
Priority
Secondary
Not specified
Serious
Main
Secondary
Unimportant
Duration (hours)
参与者(2)
5329419 openeuler ci bot 1632792936 starlet_dx-starlet-dx
1
https://gitee.com/src-openeuler/python-elasticsearch7.git
git@gitee.com:src-openeuler/python-elasticsearch7.git
src-openeuler
python-elasticsearch7
python-elasticsearch7
Going to Help Center

Search

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
Repository Report
Back to the top