CVE-2023-31418: 
Java vulnerability analysis and mitigation

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The vulnerability affects Elasticsearch versions up to 7.17.12 and from 8.0.0 up to 8.8.2, as well as Elastic Cloud Enterprise up to versions 2.13.3 and 3.6.0. The issue was identified by Elastic Engineering with no indication of it being known or exploited in the wild (Elastic Advisory).

The vulnerability has been assigned CVE-2023-31418 with a CVSS v3.1 Base Score of 7.5 (High). The attack vector is Network-based (N), with Low attack complexity (L), requiring No privileges (N) and No user interaction (UI). The scope is Unchanged (U), with No impact on confidentiality (N) and integrity (N), but High impact on availability (H). The complete vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is on system availability. When successfully exploited, an unauthenticated attacker can cause an Elasticsearch node to crash by triggering an OutOfMemory error through malformed HTTP requests. This can result in a denial of service condition, potentially affecting the availability of the Elasticsearch service (Elastic Advisory).

Users are advised to upgrade to Elasticsearch version 7.17.13 or 8.9.0 and higher. For Elastic Cloud Enterprise users, upgrading to version 2.13.4 or 3.6.1 is recommended to address this vulnerability (Elastic Advisory).