CVE-2024-8365 — Log File Information Exposure in Vault

CWE-532 — Log File Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 42.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Hashicorp Vault Enterprise Github.com Hashicorp Vault

Timeline

PublishedSep 2

Latest updateSep 6

Description

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/vault_enterprise1.16.7 — 1.17.5

▶CVEListV5hashicorp/vault1.17.3 — 1.17.5

▶NVDhashicorp/vault1.17.0 — 1.17.5+2

▶Gogithub.com/hashicorp_vault1.17.3 — 1.17.5

🔴Vulnerability Details

OSV

Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault↗2024-09-06

▶

GHSA

Vault Leaks Client Token and Token Accessor in Audit Devices↗2024-09-02

▶

OSV

Vault Leaks Client Token and Token Accessor in Audit Devices↗2024-09-02

▶

📋Vendor Advisories

Red Hat

vault: Vault Leaks Client Token and Token Accessor in Audit Devices↗2024-09-02

▶