Products
Elasticsearch
Source
bressers@elastic.co
Tags
CVE-2024-23444 details
Published : July 31, 2024, 6:15 p.m.
Last Modified : July 31, 2024, 6:15 p.m.
Last Modified : July 31, 2024, 6:15 p.m.
Description
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.
CVSS Score
| 1 | 2 | 3 | 4.9 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
4.9
Exploitability Score
1.2
Impact Score
3.6
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
References
| URL | Source |
|---|---|
| https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157 | bressers@elastic.co |
This website uses the NVD API, but is not approved or certified by it.