CVE-2024-23444 Information

Description

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests the associated private key that is generated is stored on disk unencrypted even if the –pass parameter is passed in the command invocation.

Reference

https://discuss.elastic.co/t/elasticsearch-8-13-0-7-17-23-security-update-esa-2024-12/364157