CVE-2024-23444
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the –pass parameter is passed in the command invocation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Elastic | Elasticsearch | 7.x < 7.17.23 | affected |
| Elastic | Elasticsearch | 8.x < 8.13.0 | affected |
Weaknesses
- CWE-311: CWE-311 Missing Encryption of Sensitive Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.