7.4
CVE-2025-37731
- EPSS 0.04%
- Veröffentlicht 15.12.2025 10:42:21
- Zuletzt bearbeitet 18.12.2025 01:49:07
- Quelle security@elastic.co
- CVE-Watchlists
- Unerledigt
Elasticsearch Improper Authentication
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Elastic ≫ Elasticsearch Version >= 7.0.0 <= 7.17.29
Elastic ≫ Elasticsearch Version >= 8.0.0 < 8.19.8
Elastic ≫ Elasticsearch Version >= 9.0.0 < 9.1.8
Elastic ≫ Elasticsearch Version >= 9.2.0 < 9.2.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.104 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| security@elastic.co | 6.8 | 1.6 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.