Moderate severityNVD Advisory· Published Sep 2, 2024· Updated Sep 4, 2024
Vault Leaks AppRole Client Tokens And Accessor in Audit Log
CVE-2024-8365
Description
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | >= 1.17.3, < 1.17.5 | 1.17.5 |
Affected products
2- HashiCorp/Vault Enterprisev5Range: 1.16.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jjxf-26c9-77gmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8365ghsaADVISORY
- github.com/hashicorp/vaultghsaPACKAGE
- discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devicesghsaWEB
- discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/mitre
News mentions
0No linked articles in our index yet.