CVE-2024-8365

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-8365
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
History

04 Sep 2024, 14:37

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.2 		v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
References () https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ - () https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ - Vendor Advisory
First Time Hashicorp vault
Hashicorp

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) Vault Community Edition y Vault Enterprise experimentaron una regresión en la que se eliminó la funcionalidad que codificaba mediante HMAC los encabezados confidenciales en el dispositivo de auditoría configurado, específicamente los tokens de cliente y los descriptores de acceso de token. Esto provocó que los valores de texto sin formato de los tokens de cliente y los descriptores de acceso de token se almacenaran en el registro de auditoría. Esta vulnerabilidad, CVE-2024-8365, se solucionó en Vault Community Edition y Vault Enterprise 1.17.5 y Vault Enterprise 1.16.9.

02 Sep 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-02 05:15

Updated : 2024-09-04 14:37

NVD link : CVE-2024-8365

Mitre link : CVE-2024-8365

CVE.ORG link : CVE-2024-8365

JSON object : View

Products Affected

hashicorp

  • vault
CWE
CWE-532

Insertion of Sensitive Information into Log File