VYPR
Moderate severityNVD Advisory· Published Jul 31, 2024· Updated Apr 4, 2025

Elasticsearch elasticsearch-certutil csr fails to encrypt private key

CVE-2024-23444

Description

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.elasticsearch:elasticsearchMaven
>= 8.0.0-alpha1, < 8.13.08.13.0
org.elasticsearch:elasticsearchMaven
< 7.17.237.17.23

Affected products

140

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.