CVE-2025-37731
HIGH WAF: Low
CVSS 7.4
Published: 2025-12-15
CWE-287
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| elastic | elasticsearch | 7.0.0 - 7.17.29 |
| elastic | elasticsearch | 8.0.0 - 8.19.8 |
| elastic | elasticsearch | 9.0.0 - 9.1.8 |
| elastic | elasticsearch | 9.2.0 - 9.2.2 |
References
- discuss.elastic.co (Vendor Advisory)