Moderate severityNVD Advisory· Published Sep 2, 2024· Updated Sep 4, 2024
Vault Leaks AppRole Client Tokens And Accessor in Audit Log
CVE-2024-8365
Description
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.17.3, < 1.17.5 | 1.17.5 |
Affected products
8- osv-coords6 versionspkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-fips-1.17pkg:apk/chainguard/vault-fips-1.17-compatpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vault
< 1.16.3-r29+ 5 more
- (no CPE)range: < 1.16.3-r29
- (no CPE)range: < 1.16.3-r24
- (no CPE)range: < 1.17.5-r0
- (no CPE)range: < 1.17.5-r0
- (no CPE)range: >= 1.16.7, < 1.16.9
- (no CPE)range: >= 1.17.3, < 1.17.5
- Range: 1.16.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jjxf-26c9-77gmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8365ghsaADVISORY
- github.com/hashicorp/vaultghsaPACKAGE
- discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devicesghsaWEB
- discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/mitre
News mentions
0No linked articles in our index yet.