CVE-2024-9180
published 2024-10-10CVE-2024-9180: A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s…
PriorityP345high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.53%
40.6th percentile
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.18.0 | 1.18.0 |
| github.com | openbao_openbao | >= 0 < 2.0.3 | 2.0.3 |
| hashicorp | vault | >= 0.10.4 < 1.18.0 | 1.18.0 |
| hashicorp | vault | >= 1.15.0 < 1.15.16 | 1.15.16 |
| hashicorp | vault | >= 1.16.0 < 1.16.11 | 1.16.11 |
| hashicorp | vault | >= 1.7.7 < 1.18.0 | 1.18.0 |
| hashicorp | vault | 1.7.7 – 1.17.7 | — |
| hashicorp | vault_enterprise | >= 0.10.4 < 1.18.0 | 1.18.0 |
| openbao | openbao | < 2.0.3 | 2.0.3 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
hashicorp/vault: Vault Operators in Root Namespace May Elevate Their Privileges
vendor_redhat·2024-10-10·CVSS 7.2
CVE-2024-9180 [HIGH] CWE-266 hashicorp/vault: Vault Operators in Root Namespace May Elevate Their Privileges
hashicorp/vault: Vault Operators in Root Namespace May Elevate Their Privileges
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
A flaw was found in HashiCorp Vault. This vulnerability allows a privileged Vault operator with write permissions to the root namespace's identity endpoint to escalate their privileges to Vault’s root policy.
A misconfiguration in Vault allows a privileged operator (someone with write permissions on the root namespace’s identity endpoint) to elevate privileges—either their own or another user’s—to the root policy level, effectively giving full
OSV
Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
osv·2024-10-11
CVE-2024-9180 Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault
GHSA
Vault Community Edition privilege escalation vulnerability
ghsa·2024-10-10
CVE-2024-9180 [HIGH] CWE-266 Vault Community Edition privilege escalation vulnerability
Vault Community Edition privilege escalation vulnerability
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16
OSV
Vault Community Edition privilege escalation vulnerability
osv·2024-10-10
CVE-2024-9180 [HIGH] Vault Community Edition privilege escalation vulnerability
Vault Community Edition privilege escalation vulnerability
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16
GHSA
BoringSSLAEADContext in Netty Repeats Nonces
ghsa·2024-06-05
CVE-2024-36121 [MEDIUM] CWE-190 BoringSSLAEADContext in Netty Repeats Nonces
BoringSSLAEADContext in Netty Repeats Nonces
### Summary
BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm.
Unfortunately, two separate errors combine which would allow an attacker to cause the sequence number to overflow and thus the nonce to repeat.
### Details
1. There is no overflow detection or enforcement of the maximum sequence value. (This is a missed requirement from the draft Chunked Oblivious OHTTP RFC and so should be inherited from the HPKE RFC 9180, Section 5.2).
2. The sequence number (seq) is stored as 32-bit int which is relatively easy to overflow.
https://github.com/netty/netty-incubator-codec-ohttp/blob/1ddadb6473cd3be5491d114431ed4c1a9f3160
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-10
Published