CVE-2024-23444

Published: Jul 31, 2024Modified: Apr 4, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

Affected (2)

Products: Elastic: Elasticsearch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 7.0.0 to 7.17.23
Elastic Elasticsearch	From 8.0.0 to 8.13.0

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

References (2)

https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157

Source: security@elastic.co

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250404-0001/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.