VYPR
High severityNVD Advisory· Published Sep 26, 2024· Updated Jan 10, 2025

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

CVE-2024-7594

Description

Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/vaultGo
>= 1.7.7, < 1.17.61.17.6
github.com/openbao/openbaoGo
>= 0.1.0
github.com/openbao/openbaoGo
< 0.0.0-20241003222810-d5b4e92246980.0.0-20241003222810-d5b4e9224698

Affected products

15

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.