Security
Headlines

Headlines Latest CVEs

Headline

GHSA-m9gh-789g-q5pv: Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

3 days ago

#vulnerability #git #java #intel #auth #maven

Skip to content

Navigation Menu

- AI CODE CREATION
  - GitHub CopilotWrite better code with AI
  - GitHub SparkBuild and deploy intelligent apps
  - GitHub ModelsManage and compare prompts
  - MCP RegistryNewIntegrate external tools

View all features

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

GitHub Advisory Database
GitHub Reviewed
CVE-2025-37731

Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates

Moderate severity GitHub Reviewed Published Dec 15, 2025 to the GitHub Advisory Database • Updated Dec 16, 2025

Package

maven org.elasticsearch:elasticsearch (Maven)

Affected versions

>= 7.0.0-alpha1, < 8.19.8

>= 9.0.0-beta1, < 9.1.8

>= 9.2.0, < 9.2.2

Patched versions

8.19.8

9.1.8

9.2.2

Description

Published to the GitHub Advisory Database

Dec 15, 2025

Last updated

Dec 16, 2025

ghsa: Latest News

GHSA-x8cp-jf6f-r4xh: AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue

1 hour ago

GHSA-2xgq-q749-89fq: AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue

1 hour ago

GHSA-3g75-q268-r9r6: Amazon S3 Encryption Client has a Key Commitment Issue

1 hour ago

GHSA-8452-54wp-rmv6: Storybook manager bundle may expose environment variables during build

1 hour ago

GHSA-529f-9qwm-9628: tinacms is vulnerable to arbitrary code execution

2 hours ago