CVE-2024-8365

EUVD-2024-2824

02.09.2024, 05:15

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.2 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
HashiCorp	CNA	6.2 MEDIUM				CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Affected Products (NVD)

Vendor	Product	Version
hashicorp	vault	𝑥 < 1.16.9
hashicorp	vault	𝑥 < 1.17.5
hashicorp	vault	1.17.0 ≤ 𝑥 < 1.17.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/