CVE-2024-7594

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-7594
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7594.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-7594
Aliases
Downstream
Related
Published
2024-09-26T20:15:07Z
Modified
2025-08-08T05:40:19Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.

References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/vault
Events
Introduced
77b9623370a1da48362693d606ef28f678018378
Fixed
69a720d5d940bfcd590d7c24f3c98f178673d796