A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
References
Link | Resource |
---|---|
https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Oct 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16. |
17 Oct 2024, 14:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565 - Vendor Advisory | |
First Time |
Hashicorp
Hashicorp vault |
|
CWE | NVD-CWE-Other | |
CPE | cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:* |
15 Oct 2024, 12:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
10 Oct 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-10 21:15
Updated : 2024-10-18 20:15
NVD link : CVE-2024-9180
Mitre link : CVE-2024-9180
CVE.ORG link : CVE-2024-9180
JSON object : View
Products Affected
hashicorp
- vault
CWE