CVE-2025-68390

MEDIUM4.9EPSS 0.27%

Elasticsearch Allocation of Resources Without Limits or Throttling

發布日:2025/12/19修改日:2025/12/20

也稱為:GHSA-gphj-4h6p-37xqBIT-elasticsearch-2025-68390

描述

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

受影響套件(2)

Bitnami/elasticsearchfrom 0, < 8.19.8, >= 9.0.0, < 9.1.8, >= 9.2.0, < 9.2.2
Maven/org.elasticsearch.plugin:x-pack-corefrom 0, < 8.19.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68390
PATCHhttps://github.com/elastic/elasticsearch
WEBhttps://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185
WEBhttps://github.com/elastic/elasticsearch/pull/138132