7 matches found
CVE-2024-8365 Vault Leaks AppRole Client Tokens And Accessor in Audit Log
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being...
GO-2023-1900 Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault...
GHSA-WMG5-G953-QQFW Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
When using the Vault and Vault Enterprise Vault approle auth method, any authenticated user with access to the /auth/approle/role/:rolename/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has...
Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
When using the Vault and Vault Enterprise Vault approle auth method, any authenticated user with access to the /auth/approle/role/:rolename/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999, has...
CVE-2023-24999
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...
CVE-2023-24999
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...
CVE-2023-24999 Vault Fails to Verify if the AppRole SecretID Belongs to Role During a Destroy Operation
HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above...