CVE-2024-23444

July 31, 2024, 6:15 p.m.

CVSS Score

4.9 / 10

Product(s) Impacted

Elasticsearch

Description

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

Weaknesses

CWE-311
Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE ID: 311

Date

Published: July 31, 2024, 6:15 p.m.

Last Modified: July 31, 2024, 6:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

bressers@elastic.co

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score
4.9
Exploitability Score
1.2
Impact Score
3.6
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References