CVE-2024-23444: Elasticsearch stores private key on disk unencrypted
(updated )
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.
References
- discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157
- github.com/advisories/GHSA-5v8f-xx9m-wj44
- github.com/elastic/elasticsearch
- github.com/elastic/elasticsearch/commit/07296d596a1dee24730e33ad40b6726f70c6fc23
- github.com/elastic/elasticsearch/commit/321c4e1e6b738bf80faa41dbb9881489a4ab44e5
- github.com/elastic/elasticsearch/commit/bb1eddada3678257838b0590090ff9eb68acaa1b
- github.com/elastic/elasticsearch/pull/106105
- github.com/elastic/elasticsearch/pull/109834
- nvd.nist.gov/vuln/detail/CVE-2024-23444
- security.netapp.com/advisory/ntap-20250404-0001
Code Behaviors & Features
Detect and mitigate CVE-2024-23444 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →