CVE-2024-0831 — Log File Information Exposure in Hashicorp Vault

CWE-532 — Log File Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 47.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Vault Hashicorp Vault Hashicorp Vault Enterprise

Timeline

PublishedFeb 1

Latest updateJun 28

Description

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/vault_enterprise1.15.0 — 1.15.4

▶NVDhashicorp/vault1.15.0 — 1.15.5

▶Gogithub.com/hashicorp_vault1.15.0 — 1.15.5

▶CVEListV5hashicorp/vault1.15.0 — 1.15.4

🔴Vulnerability Details

OSV

Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault↗2024-06-28

▶

GHSA

Hashicorp Vault may expose sensitive log information↗2024-02-01

▶

OSV

Hashicorp Vault may expose sensitive log information↗2024-02-01

▶

📋Vendor Advisories

Red Hat

vault: sensitive information disclosure↗2024-02-01

▶