CVE-2023-46674: 
Java vulnerability analysis and mitigation

CVE-2023-46674 is a security vulnerability discovered in Elasticsearch-hadoop that allows unsafe deserialization of Java objects from Hadoop or Spark configuration properties. The vulnerability affects Elasticsearch-hadoop versions prior to 7.17.11 and versions 8.0.0 to 8.9.0 (excluding 8.9.0). The issue was discovered by Yakov Shafranovich from Amazon Web Services and was disclosed on December 5, 2023 (Elastic Advisory).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). It received a CVSS v3.1 base score of 7.8 (HIGH) from NIST with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Elastic assessed it with a CVSS score of 6.0 (MEDIUM) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H. The vulnerability specifically involves the unsafe deserialization of Java objects from configuration properties that could be modified by authenticated users (NVD).

The vulnerability could potentially allow authenticated users to manipulate Hadoop or Spark configuration properties, leading to unauthorized access and potential system compromise through unsafe object deserialization (NVD).

The vulnerability has been patched in Elasticsearch-hadoop versions 7.17.11 and 8.9.0. Users are recommended to upgrade to these versions or later to address the security issue (Elastic Advisory).