Lucene search

GoogleOSV:BIT-VAULT-2024-0831

HistoryMar 06, 2024 - 11:07 a.m.

BIT-vault-2024-0831

2024-03-0611:07:52

Google

osv.dev

vault

vault enterprise

sensitive information

audit devices

log_raw

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.5%

JSON

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the log_raw option, which may log sensitive information to other audit devices, regardless of whether they are configured to use log_raw.

CPENameOperatorVersion
vaultlt1.15.5
vaultge1.15.0

CPE	Name	Operator	Version
	vault	lt	1.15.5
	vault	ge	1.15.0

References

developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration

discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311

security.netapp.com/advisory/ntap-20240223-0005/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.5%

JSON

Related for OSV:BIT-VAULT-2024-0831