Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113

Closed
GoVulnBot opened this issue Sep 3, 2024 · 1 comment
Assignees
Labels

Comments

@GoVulnBot
Copy link

Advisory GHSA-jjxf-26c9-77gm references a vulnerability in the following Go modules:

Module
github.com/hashicorp/vault

Description:
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 1.17.3
        - fixed: 1.17.5
      vulnerable_at: 1.17.4
summary: Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault
cves:
    - CVE-2024-8365
ghsas:
    - GHSA-jjxf-26c9-77gm
references:
    - advisory: https://github.com/advisories/GHSA-jjxf-26c9-77gm
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8365
    - web: https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices
source:
    id: GHSA-jjxf-26c9-77gm
    created: 2024-09-03T21:01:29.917801356Z
review_status: UNREVIEWED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants