Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-8365

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Published

2024-09-02T05:15:17.823

Last Modified

2024-09-04T14:37:03.543

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.2 (MEDIUM)

Weaknesses

Type: Secondary
CWE-532
Type: Primary
CWE-532

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	vault	< 1.16.9	Yes
Application	hashicorp	vault	< 1.17.5	Yes
Application	hashicorp	vault	< 1.17.5	Yes

References

https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/ Vendor Advisory ([email protected])