CVE-2024-8365

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

History

04 Sep 2024, 14:37

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.2
v2 : unknown
v3 : 6.5
First Time Hashicorp vault
Hashicorp
References () https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ - () https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ - Vendor Advisory
CPE cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) Vault Community Edition y Vault Enterprise experimentaron una regresión en la que se eliminó la funcionalidad que codificaba mediante HMAC los encabezados confidenciales en el dispositivo de auditoría configurado, específicamente los tokens de cliente y los descriptores de acceso de token. Esto provocó que los valores de texto sin formato de los tokens de cliente y los descriptores de acceso de token se almacenaran en el registro de auditoría. Esta vulnerabilidad, CVE-2024-8365, se solucionó en Vault Community Edition y Vault Enterprise 1.17.5 y Vault Enterprise 1.16.9.

02 Sep 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-02 05:15

Updated : 2024-09-04 14:37


NVD link : CVE-2024-8365

Mitre link : CVE-2024-8365

CVE.ORG link : CVE-2024-8365


JSON object : View

Products Affected

hashicorp

  • vault
CWE
CWE-532

Insertion of Sensitive Information into Log File