Missing Encryption of Sensitive Data
CVE-2024-23444
Summary
It was discovered by Elastic Engineering that when the elasticsearch-certutil CLI tool is used with the "csr" option to create new certificate signing requests, the associated private key that is generated is stored on disk unencrypted, even if the "--pass" parameter is passed in the command invocation. This issue affects package versions prior to 7.17.23 and 8.0.x prior to 8.13.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- HIGH
- HIGH
- NONE
CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.
References
Advisory Timeline
- Published