cbcvebase.
CVE-2024-2048
published 2024-03-04

CVE-2024-2048: Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as…

PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.45%
35.7th percentile
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

Affected

9 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 0 < 1.14.101.14.10
github.comhashicorp_vault>= 1.15.0 < 1.15.51.15.5
hashicorpvault< 1.14.101.14.10
hashicorpvault>= 1.15.0 < 1.15.51.15.5
hashicorpvault>= 1.15.5 < 1.16.01.16.0
hashicorpvault_enterprise>= 1.15.5 < 1.16.01.16.0
latchsetjwcrypto>= 0 < 1.5.61.5.6
linuxlinux_kernel>= 0 < 6.7.7-16.7.7-1
openbaoopenbao< 2.0.02.0.0

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.