CVE-2024-2660
published 2024-04-04CVE-2024-2660: Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This…
PriorityP430medium6.8CVSS 3.1
AVAACLPRHUINSUCHIHAH
EPSS
0.30%
21.9th percentile
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.16.0 | 1.16.0 |
| hashicorp | vault | >= 1.14.0 < 1.14.11 | 1.14.11 |
| hashicorp | vault | >= 1.14.0 < 1.16.0 | 1.16.0 |
| hashicorp | vault | >= 1.15.0 < 1.15.7 | 1.15.7 |
| hashicorp | vault_enterprise | >= 1.14.0 < 1.16.0 | 1.16.0 |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
osv·2024-06-04
CVE-2024-2660 HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
GHSA
HashiCorpVault does not correctly validate OCSP responses
ghsa·2024-04-04
CVE-2024-2660 [MEDIUM] CWE-636 HashiCorpVault does not correctly validate OCSP responses
HashiCorpVault does not correctly validate OCSP responses
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
OSV
HashiCorpVault does not correctly validate OCSP responses
osv·2024-04-04
CVE-2024-2660 [MEDIUM] HashiCorpVault does not correctly validate OCSP responses
HashiCorpVault does not correctly validate OCSP responses
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Red Hat
kernel: net/mlx5: Unregister notifier on eswitch init failure
vendor_redhat·2024-11-05·CVSS 5.5
CVE-2024-50136 [MEDIUM] CWE-459 kernel: net/mlx5: Unregister notifier on eswitch init failure
kernel: net/mlx5: Unregister notifier on eswitch init failure
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Unregister notifier on eswitch init failure
It otherwise remains registered and a subsequent attempt at eswitch
enabling might trigger warnings of the sort:
[ 682.589148] ------------[ cut here ]------------
[ 682.590204] notifier callback eswitch_vport_event [mlx5_core] already registered
[ 682.590256] WARNING: CPU: 13 PID: 2660 at kernel/notifier.c:31 notifier_chain_register+0x3e/0x90
[...snipped]
[ 682.610052] Call Trace:
[ 682.610369]
[ 682.610663] ? __warn+0x7c/0x110
[ 682.611050] ? notifier_chain_register+0x3e/0x90
[ 682.611556] ? report_bug+0x148/0x170
[ 682.611977] ? handle_bug+0x36/0x70
[ 682.612384] ? exc_invalid_op+0x13/0x60
[ 682.612817] ?
Red Hat
Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
vendor_redhat·2024-04-04·CVSS 6.4
CVE-2024-2660 [MEDIUM] CWE-703 Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
A flaw was found in the OCSP response handling logic of Vault’s TLS certificate authentication method. This issue may result in signatures and responses from multiple servers not being handled properly. A malicious actor with privileged network access may be able to successfully authenticate via Vault’s TLS certificate authentication method with incorrect certificate status information.
Package: ocs4/cephc
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-04
Published