CVE-2024-0831
published 2024-02-01CVE-2024-0831: Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.76%
50.8th percentile
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 1.15.0 < 1.15.5 | 1.15.5 |
| hashicorp | vault | >= 1.15.0 < 1.15.5 | 1.15.5 |
| hashicorp | vault | 1.15.0 – 1.15.4 | — |
| hashicorp | vault_enterprise | 1.15.0 – 1.15.4 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_redhat4.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault
osv·2024-06-28
CVE-2024-0831 Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault
Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault
Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault
GHSA
Hashicorp Vault may expose sensitive log information
ghsa·2024-02-01
CVE-2024-0831 [MEDIUM] CWE-532 Hashicorp Vault may expose sensitive log information
Hashicorp Vault may expose sensitive log information
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`
OSV
Hashicorp Vault may expose sensitive log information
osv·2024-02-01
CVE-2024-0831 [MEDIUM] Hashicorp Vault may expose sensitive log information
Hashicorp Vault may expose sensitive log information
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`
Red Hat
vault: sensitive information disclosure
vendor_redhat·2024-02-01·CVSS 4.5
CVE-2024-0831 [MEDIUM] CWE-532 vault: sensitive information disclosure
vault: sensitive information disclosure
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.
A sensitive information disclosure vulnerability was found in Hashicorp Vault. Enabling an audit device that specifies the `log_raw` option may log sensitive information to oth
Package: cert-manager/jetstack-cert-manager-rhel9 (cert-manager Operator for Red Hat OpenShift) - Not affected
Package: custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 (Custom Metric Autoscaler operator for Red Hat Openshift) - Not affected
Package: openshift-pipelines-client (OpenShift Pipelines) - Not affec
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configurationhttps://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311https://security.netapp.com/advisory/ntap-20240223-0005/https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configurationhttps://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311https://security.netapp.com/advisory/ntap-20240223-0005/
2024-02-01
Published