CVE-2024-23444

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-23444

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23444.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23444

Aliases

Downstream

UBUNTU-CVE-2024-23444

Related

CGA-7hrw-x473-8q8j

Published

2024-07-31T18:15:11.983Z

Modified

2026-02-05T12:19:10.744802Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

1b6a7ece17463df5ff54a3e1302d825889aa1161

Fixed

09df99393193b2c53d92899662a8b8b3c55b45cd

Introduced

b7e28a7232616c7a21bc879a535d801b8553ba77

Fixed

61d76462eecaf09ada684d1b5d319b5ff6865a83

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23444.json"

vanir_signatures

[
    {
        "id": "CVE-2024-23444-3fa86dc6",
        "target": {
            "function": "test600Interrupt",
            "file": "qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/61d76462eecaf09ada684d1b5d319b5ff6865a83",
        "digest": {
            "function_hash": "69844453905830246677820397096534298013",
            "length": 935.0
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2024-23444-9616b188",
        "target": {
            "file": "server/src/test/java/org/elasticsearch/threadpool/ThreadPoolTests.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/09df99393193b2c53d92899662a8b8b3c55b45cd",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "36530912574437381226782567206995626327",
                "244108005552100167940772669739727799311",
                "122676380888478570388070130641794056358"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2024-23444-bda6ba2f",
        "target": {
            "file": "qa/os/src/test/java/org/elasticsearch/packaging/test/DockerTests.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/61d76462eecaf09ada684d1b5d319b5ff6865a83",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "268439700297186282373755313812072452487",
                "26797522030344409565822344236984547088",
                "49674375891833826585064844018322645796",
                "241861009769944274883436754269135918658",
                "110241150124042836880806124194125742521",
                "4974205076996931494879974579405987532"
            ]
        },
        "signature_type": "Line"
    }
]