CVE-2024-23444

Published Jul 31, 2024

Last updated 3 months ago

CVSS medium 4.9

Overview

Description
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.
Source
bressers@elastic.co
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
4.9
Impact score
3.6
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

bressers@elastic.co
CWE-311

Social media

Hype score
Not currently trending

References