Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-0831

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

Published

2024-02-01T02:15:46.330

Last Modified

2024-11-21T08:47:28.063

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-532
Type: Primary
CWE-532

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	vault	< 1.15.5	Yes
Application	hashicorp	vault	< 1.15.5	Yes

References

https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration Exploit, Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20240223-0005/ ([email protected])
https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240223-0005/ (af854a3a-2127-422b-91ae-364da2661108)