CVE-2024-2660 — Failing Open in Vault Enterprise

CWE-636 — Failing Open CWE-703 — Improper Check or Handling of Exceptional Conditions CWE-459 — Incomplete Cleanup6 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.6%

top 30.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Enterprise Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedApr 4

Latest updateNov 5

Description

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5hashicorp/vault_enterprise1.14.0 — 1.16.0

▶NVDhashicorp/vault1.14.0 — 1.14.11+2

▶Gogithub.com/hashicorp_vault< 1.16.0

🔴Vulnerability Details

OSV

HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault↗2024-06-04

▶

GHSA

HashiCorpVault does not correctly validate OCSP responses↗2024-04-04

▶

OSV

HashiCorpVault does not correctly validate OCSP responses↗2024-04-04

▶

📋Vendor Advisories

Red Hat

kernel: net/mlx5: Unregister notifier on eswitch init failure↗2024-11-05

▶

Red Hat

Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses↗2024-04-04

▶