CVE-2024-23444

Summary

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the –pass parameter is passed in the command invocation.

Affected Software

VendorProductVersion RangeStatus
ElasticElasticsearch7.x < 7.17.23affected
ElasticElasticsearch8.x < 8.13.0affected

Weaknesses

  • CWE-311: CWE-311 Missing Encryption of Sensitive Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References