CVE-2024-5798

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-5798
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

2.6 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770
https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770
Configurations

No configuration.

History

21 Nov 2024, 09:48

Type Values Removed Values Added
References () https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770 - () https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770 -

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) Vault y Vault Enterprise no validaron correctamente la reclamación de audiencia vinculada a roles JSON Web Token (JWT) al utilizar el método de autenticación Vault JWT. Esto puede haber provocado que Vault valide un JWT en el que las afirmaciones de audiencia y roles no coinciden, lo que permitió que un inicio de sesión no válido se realizara correctamente cuando debería haber sido rechazado. Esta vulnerabilidad, CVE-2024-5798, se solucionó en Vault y Vault Enterprise 1.17.0, 1.16.3 y 1.15.9.

12 Jun 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-12 19:15

Updated : 2024-11-21 09:48

NVD link : CVE-2024-5798

Mitre link : CVE-2024-5798

CVE.ORG link : CVE-2024-5798

JSON object : View

Products Affected

No product.

CWE
CWE-285

Improper Authorization


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024