CVE-2023-49923 MEDIUM

CVE-2023-49923: Enterprise Search Insertion of Sensitive Information into Log File

Vendor Elastic
Product Enterprise Search
Weakness CWE-532 · Sensitive info in logs
Published December 12, 2023
Last update May 24, 2025

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.

Key dates

02Disclosure timeline

December 12, 2023 CVE published
May 24, 2025 Record updated