CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8365 – Vault Leaks AppRole Client Tokens And Accessor in Audit Log
https://notcve.org/view.php?id=CVE-2024-8365
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9. Vault Community Edition y Vault Enterprise experimentaron una regresión en la que se eliminó la funcionalidad que codificaba mediante HMAC los encabezados confidenciales en el dispositivo de auditoría configurado, específicamente los tokens de cliente y los descriptores de acceso de token. Esto provocó que los valores de texto sin formato de los tokens de cliente y los descriptores de acceso de token se almacenaran en el registro de auditoría. • https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2015-5711
https://notcve.org/view.php?id=CVE-2015-5711
TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain sensitive information via a crafted HTTP request. Vulnerabilidad en TIBCO Managed File Transfer Internet Server en versiones anteriores a 7.2.5, Managed File Transfer Command Center en versiones anteriores a 7.2.5, Slingshot en versiones anteriores a 1.9.4 y Vault en versiones anteriores a 2.0.1, permite a usuarios remotos autenticados obtener información sensible a través de una petición HTTP manipulada. • http://www.securitytracker.com/id/1033678 http://www.tibco.com/assets/blt423f06fbac6ee0c6/2015-003-advisory.txt http://www.tibco.com/mk/advisory.jsp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •