SSB-2023-003 - Elasticsearch

CVSS score v3.1
Base 7.5
Temporal 6.7
Environmental 6.0

Scalingo is aware of the recently reported issue regarding Elasticsearch (CVE-2023-31418).

This vulnerability would allow an unauthenticated user to bring down an Elasticsearch instance by sending malformed HTTP requests.

It cannot be exploited as-is on Scalingo, because we setup our Elasticsearch clusters with a reverse proxy which does not allow unauthenticated calls.

Still, an authenticated user could bring down a server by sending massive amounts of requests with bogus data. Don’t do this !

As we can’t provide any updated versions due to a licensing change by Elastic, we won’t be able to provide a patched version.

Action required


Scalingo PaaS

Scalingo Platform-As-A-Service is not impacted.

Scalingo DBaaS addons

Scalingo Database-As-A-Service Elasticsearch is impacted, but the vulnerability is mitigated by our authentication policy.

Other Scalingo addons and services

Other Scalingo Platform addons and features are not impacted.


2023-10-18 : Initial version

Suggest edits

SSB-2023-003 - Elasticsearch

©2024 Scalingo