cbcvebase.
CVE-2024-8365
published 2024-09-02

CVE-2024-8365: Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device…

PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.47%
37.5th percentile
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 1.17.3 < 1.17.51.17.5
hashicorpvault< 1.16.91.16.9
hashicorpvault< 1.17.51.17.5
hashicorpvault>= 1.17.0 < 1.17.51.17.5
hashicorpvault>= 1.17.3 < 1.17.51.17.5
hashicorpvault_enterprise>= 1.16.7 < 1.17.51.17.5

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.