CVE-2024-6468
published 2024-07-11CVE-2024-6468: Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.49%
38.5th percentile
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 1.10.0 < 1.16.3 | 1.16.3 |
| github.com | hashicorp_vault | >= 1.10.0 < 1.15.12 | 1.15.12 |
| github.com | hashicorp_vault | >= 1.16.0-rc1 < 1.16.3 | 1.16.3 |
| github.com | hashicorp_vault | >= 1.17.0-rc1 < 1.17.2 | 1.17.2 |
| hashicorp | vault | >= 1.10.0 < 1.15.11 | 1.15.11 |
| hashicorp | vault | >= 1.10.0 < 1.15.12 | 1.15.12 |
| hashicorp | vault | >= 1.16.0 < 1.16.6 | 1.16.6 |
| hashicorp | vault | >= 1.17.0 < 1.17.2 | 1.17.2 |
| hashicorp | vault_enterprise | >= 1.10.0 < 1.15.11 | 1.15.11 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vault: Denial of Service When Setting a Proxy Protocol Behavior
vendor_redhat·2024-07-11·CVSS 7.5
CVE-2024-6468 [HIGH] CWE-703 vault: Denial of Service When Setting a Proxy Protocol Behavior
vault: Denial of Service When Setting a Proxy Protocol Behavior
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and
OSV
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault
osv·2024-07-12
CVE-2024-6468 Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.12.
GHSA
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
ghsa·2024-07-11
CVE-2024-6468 [HIGH] CWE-703 Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
Fixed in Vault and Vault Enterprise
OSV
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
osv·2024-07-11
CVE-2024-6468 [HIGH] Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
Fixed in Vault and Vault Enterprise
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-11
Published