GHSA-jjxf-26c9-77gm

Suggest an improvement
Source
https://github.com/advisories/GHSA-jjxf-26c9-77gm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-jjxf-26c9-77gm/GHSA-jjxf-26c9-77gm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jjxf-26c9-77gm
Aliases
Related
Published
2024-09-02T06:30:49Z
Modified
2024-09-06T21:41:33Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Vault Leaks Client Token and Token Accessor in Audit Devices
Details

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Database specific
{
    "nvd_published_at": "2024-09-02T05:15:17Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-03T20:47:47Z"
}
References

Affected packages

Go / github.com/hashicorp/vault

Package

Name
github.com/hashicorp/vault
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/vault

Affected ranges

Type
SEMVER
Events
Introduced
1.17.3
Fixed
1.17.5