High severityNVD Advisory· Published Mar 4, 2024· Updated Feb 13, 2025
Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates
CVE-2024-2048
Description
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.15.0, < 1.15.5 | 1.15.5 |
github.com/hashicorp/vaultGo | < 1.14.10 | 1.14.10 |
Affected products
2- HashiCorp/Vault Enterprisev5Range: 1.15.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-r3w7-mfpm-c2vwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2048ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382ghsaWEB
- security.netapp.com/advisory/ntap-20240524-0009ghsaWEB
- security.netapp.com/advisory/ntap-20240524-0009/mitre
News mentions
0No linked articles in our index yet.