It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.
2024-07-31T18:15:11.983
2025-04-04T23:15:41.133
Modified
CVSSv3.1: 4.9 (MEDIUM)
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | elastic | elasticsearch | < 7.17.23 | Yes |
Application | elastic | elasticsearch | < 8.13.0 | Yes |