CVE-2024-43709

Medium

Published: 21 January 2025

Published

21 January 2025

Modified

21 February 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0090 75.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.

Security Summary

CVE-2024-43709 is a vulnerability in Elasticsearch involving an allocation of resources without limits or throttling, which can lead to an OutOfMemoryError exception and subsequent crash. The issue is triggered by a specially crafted query that uses an SQL function. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation results in a denial-of-service condition by crashing the Elasticsearch instance due to the high availability impact.

Elastic's security advisory ESA-2024-25 addresses the vulnerability with patches released in Elasticsearch versions 7.17.21 and 8.13.3. NetApp has also published advisory NTAP-20250221-0007 detailing the issue and mitigation steps for affected products.

Details

CWE(s): CWE-770

Affected Products

elastic

elasticsearch

7.17.0 — 7.17.21 · 8.0.0 — 8.13.3

References

https://discuss.elastic.co/t/elasticsearch-7-17-21-and-8-13-3-security-update-esa-2024-25/373442
Vendor Advisory · security@elastic.co
https://security.netapp.com/advisory/ntap-20250221-0007/
af854a3a-2127-422b-91ae-364da2661108