Skip to main content

Missing Encryption of Sensitive Data

CVE-2024-23444

Severity Medium
Score 4.9/10

Summary

It was discovered by Elastic Engineering that when the elasticsearch-certutil CLI tool is used with the "csr" option to create new certificate signing requests, the associated private key that is generated is stored on disk unencrypted, even if the "--pass" parameter is passed in the command invocation. This issue affects package versions prior to 7.17.23 and 8.0.x prior to 8.13.0.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • HIGH
  • HIGH
  • NONE

CWE-311 - Missing Encryption of Sensitive Data

The software does not encrypt sensitive or critical information before storage or transmission.

Advisory Timeline

  • Published