Back

CVE-2024-8365

Sept. 2, 2024, 5:15 a.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Vault Community Edition

  • 1.17.5
  • 1.16.9

Vault Enterprise

  • 1.17.5
  • 1.16.9

Source

security@hashicorp.com

Tags

CWE-532
security@hashicorp.com
2024-09-02
CVE-2024-8365

CVE-2024-8365 details

Published : Sept. 2, 2024, 5:15 a.m.
Last Modified : Sept. 2, 2024, 5:15 a.m.

Description

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

CVSS Score

1 2 3 4 5 6.2 7 8 9 10

Weakness

Weakness Name Description
CWE-532 Insertion of Sensitive Information into Log File Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

6.2

Exploitability Score

1.7

Impact Score

4.0

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

References

URL Source
https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ security@hashicorp.com
This website uses the NVD API, but is not approved or certified by it.