SB2025031312 - IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component update for elasticsearch

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025031312

SB2025031312 - IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component update for elasticsearch

Published: March 13, 2025

Security Bulletin ID SB2025031312
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cleartext storage of sensitive information (CVE-ID: CVE-2024-23444)

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists within the new Certificate Signing Requests when elasticsearch-certutil CLI tool is used with the csr option in order to create a new request. The associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation. A local user with access to the system can obtain the key.


Remediation

Install update from vendor's website.

References