elasticsearch-rest-high-level-client-7.17.17.jar: 1 vulnerabilities (highest severity is: 4.9) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - elasticsearch-rest-high-level-client-7.17.17.jar

Path to dependency file: /openmetadata-clients/openmetadata-java-client/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.17.17/elasticsearch-7.17.17.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.17.17/elasticsearch-7.17.17.jar

Found in HEAD commit: 0d43a8050e6c73014cff9be7dec96a81296f3061

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (elasticsearch-rest-high-level-client version)	Remediation Possible**
CVE-2024-23450	Medium	4.9	elasticsearch-7.17.17.jar	Transitive	7.17.19	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-23450

### Vulnerable Library - elasticsearch-7.17.17.jar

Elasticsearch subproject :server

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /openmetadata-shaded-deps/elasticsearch-dep/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.17.17/elasticsearch-7.17.17.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.17.17/elasticsearch-7.17.17.jar

Dependency Hierarchy: - elasticsearch-rest-high-level-client-7.17.17.jar (Root Library) - :x: **elasticsearch-7.17.17.jar** (Vulnerable Library)

Found in HEAD commit: 0d43a8050e6c73014cff9be7dec96a81296f3061

Found in base branch: main

### Vulnerability Details

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.

Publish Date: 2024-03-27

URL: CVE-2024-23450

### CVSS 3 Score Details (4.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-19-security-update-esa-2024-06/356314

Release Date: 2024-03-27

Fix Resolution (org.elasticsearch:elasticsearch): 7.17.19

Direct dependency fix Resolution (org.elasticsearch.client:elasticsearch-rest-high-level-client): 7.17.19

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.