CVE-2024-2877 – Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node
https://notcve.org/view.php?id=CVE-2024-2877
Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8. Vault Enterprise, cuando se configura con nodos en espera de rendimiento y un dispositivo de auditoría configurado, registrará inadvertidamente encabezados de solicitud en el nodo en espera. Es posible que estos registros hayan incluido información confidencial de solicitudes HTTP en texto plano. Esta vulnerabilidad, CVE-2024-2877, se solucionó en Vault Enterprise 1.15.8. • https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node https://security.netapp.com/advisory/ntap-20240614-0002 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2024-2660 – Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
https://notcve.org/view.php?id=CVE-2024-2660
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11. El método de autenticación de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o más orígenes de OCSP. Se corrigió en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11. Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. • https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573 https://security.netapp.com/advisory/ntap-20240524-0007 • CWE-636: Not Failing Securely ('Failing Open') CWE-703: Improper Check or Handling of Exceptional Conditions •
CVE-2024-2048 – Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates
https://notcve.org/view.php?id=CVE-2024-2048
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10. El método de autenticación de certificados TLS de Vault y Vault Enterprise (“Vault”) no validaba correctamente los certificados de cliente cuando se configuraba con un certificado que no era CA como certificado confiable. En esta configuración, un atacante puede crear un certificado malicioso que podría usarse para eludir la autenticación. • https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382 https://security.netapp.com/advisory/ntap-20240524-0009 • CWE-295: Improper Certificate Validation •