CVE-2024-23444 MEDIUM

CVE-2024-23444: Elasticsearch elasticsearch-certutil csr fails to encrypt private key

Vendor Elastic
Product Elasticsearch
Weakness CWE-311 · Missing encryption
Published July 31, 2024
Last update April 4, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

Key dates

02Disclosure timeline

July 31, 2024 CVE published
April 4, 2025 Record updated