CVE-2024-8365

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-8365

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8365.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-8365

Aliases

Related

CGA-rx73-rr3h-9383

Published

2024-09-02T05:15:17.823Z

Modified

2026-02-13T02:47:17.586563Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

References

https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4d0c53e84094b8017d32b6e5b7f8142035c8837f

Introduced

72850df1bc10581b74ba5f0f7b3736f31c034235

Fixed

4d0c53e84094b8017d32b6e5b7f8142035c8837f

Affected versions

v1.*

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.17.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8365.json"