Lucene search

[email protected]NVD:CVE-2024-8365

HistorySep 02, 2024 - 5:15 a.m.

CVE-2024-8365

2024-09-0205:15:17

CWE-532

[email protected]

web.nvd.nist.gov

cve-2024-8365

vault

enterprise

regression

plaintext

sensitive

headers

audit logs

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.7%

JSON

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Affected configurations

Nvd

Node

hashicorpvaultRange<1.16.9enterprise

hashicorpvaultRange<1.17.5-

hashicorpvaultRange1.17.0–1.17.5enterprise

VendorProductVersionCPE
hashicorpvault*cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
hashicorpvault*cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*

Vendor	Product	Version	CPE
hashicorp	vault	*	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
hashicorp	vault	*	cpe:2.3:a:hashicorp:vault:::::-:::*

References

discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

37.7%

JSON

Related for NVD:CVE-2024-8365

vulnrichment1 osv4 github1 cvelist1 redos1 redhatcve1 cve1