GHSA-m9gh-789g-q5pv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m9gh-789g-q5pv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-m9gh-789g-q5pv/GHSA-m9gh-789g-q5pv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m9gh-789g-q5pv
- Aliases
- Downstream
- Published
- 2025-12-15T12:30:27Z
- Modified
- 2025-12-18T12:25:57.346837Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates
- Details
-
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-287", "CWE-295" ], "nvd_published_at": "2025-12-15T11:15:39Z", "severity": "MODERATE", "github_reviewed_at": "2025-12-16T15:52:23Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-37731
- https://github.com/elastic/elasticsearch/commit/cd97b8566bf56e628070021300784cb9cee0286f
- https://github.com/elastic/elasticsearch/commit/d8a408da79f214395845d99d241e832077045983
- https://github.com/elastic/elasticsearch/commit/e519fe4c51a3c887675eb7daea2f914738847f23
- https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063
- https://github.com/elastic/elasticsearch
Affected packages
Maven / org.elasticsearch:elasticsearch
Package
- Name
- org.elasticsearch:elasticsearch
- View open source insights on deps.dev
- Purl
- pkg:maven/org.elasticsearch/elasticsearch
Affected versions
7.*
7.0.0-alpha1
7.0.0-alpha2
7.0.0-beta1
7.0.0-rc1
7.0.0-rc2
7.0.0
7.0.1
7.1.0
7.1.1
7.2.0
7.2.1
7.3.0
7.3.1
7.3.2
7.4.0
7.4.1
7.4.2
7.5.0
7.5.1
7.5.2
7.6.0
7.6.1
7.6.2
7.7.0
7.7.1
7.8.0
7.8.1
7.9.0
7.9.1
7.9.2
7.9.3
7.10.0
7.10.1
7.10.2
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.13.0
7.13.1
7.13.2
7.13.3
7.13.4
7.14.0
7.14.1
7.14.2
7.15.0
7.15.1
7.15.2
7.16.0
7.16.1
7.16.2
7.16.3
7.17.0
7.17.1
7.17.2
7.17.3
7.17.4
7.17.5
7.17.6
7.17.7
7.17.8
7.17.9
7.17.10
7.17.11
7.17.12
7.17.13
7.17.14
7.17.15
7.17.16
7.17.17
7.17.18
7.17.19
7.17.20
7.17.21
7.17.22
7.17.23
7.17.24
7.17.25
7.17.26
7.17.27
7.17.28
7.17.29
8.*
8.0.0-alpha1
8.0.0-alpha2
8.0.0-beta1
8.0.0-rc1
8.0.0-rc2
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.1.3
8.2.0
8.2.1
8.2.2
8.2.3
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.4.2
8.4.3
8.5.0
8.5.1
8.5.2
8.5.3
8.6.0
8.6.1
8.6.2
8.7.0
8.7.1
8.8.0
8.8.1
8.8.2
8.9.0
8.9.1
8.9.2
8.10.0
8.10.1
8.10.2
8.10.3
8.10.4
8.11.0
8.11.1
8.11.2
8.11.3
8.11.4
8.12.0
8.12.1
8.12.2
8.13.0
8.13.1
8.13.2
8.13.3
8.13.4
8.14.0
8.14.1
8.14.2
8.14.3
8.15.0
8.15.1
8.15.2
8.15.3
8.15.4
8.15.5
8.16.0
8.16.1
8.16.2
8.16.3
8.16.4
8.16.5
8.16.6
8.17.0
8.17.1
8.17.2
8.17.3
8.17.4
8.17.5
8.17.6
8.17.7
8.17.8
8.17.9
8.17.10
8.18.0
8.18.1
8.18.2
8.18.3
8.18.4
8.18.5
8.18.6
8.18.7
8.18.8
8.19.0
8.19.1
8.19.2
8.19.3
8.19.4
8.19.5
8.19.6
8.19.7
Maven / org.elasticsearch:elasticsearch
Package
- Name
- org.elasticsearch:elasticsearch
- View open source insights on deps.dev
- Purl
- pkg:maven/org.elasticsearch/elasticsearch
Maven / org.elasticsearch:elasticsearch
Package
- Name
- org.elasticsearch:elasticsearch
- View open source insights on deps.dev
- Purl
- pkg:maven/org.elasticsearch/elasticsearch