CVE-2024-8365
published 2024-09-02CVE-2024-8365: Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device…
PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.47%
37.5th percentile
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 1.17.3 < 1.17.5 | 1.17.5 |
| hashicorp | vault | < 1.16.9 | 1.16.9 |
| hashicorp | vault | < 1.17.5 | 1.17.5 |
| hashicorp | vault | >= 1.17.0 < 1.17.5 | 1.17.5 |
| hashicorp | vault | >= 1.17.3 < 1.17.5 | 1.17.5 |
| hashicorp | vault_enterprise | >= 1.16.7 < 1.17.5 | 1.17.5 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
vault: Vault Leaks Client Token and Token Accessor in Audit Devices
vendor_redhat·2024-09-02·CVSS 6.2
CVE-2024-8365 [MEDIUM] CWE-532 vault: Vault Leaks Client Token and Token Accessor in Audit Devices
vault: Vault Leaks Client Token and Token Accessor in Audit Devices
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
A flaw was found in the HashiCorp Vault. Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plainte
OSV
Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
osv·2024-09-06
CVE-2024-8365 Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
GHSA
Vault Leaks Client Token and Token Accessor in Audit Devices
ghsa·2024-09-02·CVSS 6.5
CVE-2024-8365 [MEDIUM] CWE-532 Vault Leaks Client Token and Token Accessor in Audit Devices
Vault Leaks Client Token and Token Accessor in Audit Devices
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
OSV
Vault Leaks Client Token and Token Accessor in Audit Devices
osv·2024-09-02·CVSS 6.5
CVE-2024-8365 [MEDIUM] Vault Leaks Client Token and Token Accessor in Audit Devices
Vault Leaks Client Token and Token Accessor in Audit Devices
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-02
Published