Base Score

HIGH7.5

CVE-2024-23444

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

VectorNETWORK

Published Bysecurity@elastic.co

Published DateJul 31, 2024, 18:15

Affected Versions(2)

org.elasticsearch:elasticsearch(Maven)

Introduced8.0.0-alpha1

Fixed8.13.0

LimitN/A

org.elasticsearch:elasticsearch(Maven)

Introduced0

Fixed7.17.23

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.elasticsearch:elasticsearch(Maven)	8.0.0-alpha1	8.13.0	N/A
org.elasticsearch:elasticsearch(Maven)	0	7.17.23	N/A

Weakness Type (CWE):CWE-311

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-311

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE