Vulnerability Details CVE-2024-2877
Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext.
This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.7%
CVSS Severity
CVSS v3 Score 5.5
References
- https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node
- https://security.netapp.com/advisory/ntap-20240614-0002/
- https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node
- https://security.netapp.com/advisory/ntap-20240614-0002/
Products affected by CVE-2024-2877
-
cpe:2.3:a:hashicorp:vault:1.15.0
-
cpe:2.3:a:hashicorp:vault:1.15.2
-
cpe:2.3:a:hashicorp:vault:1.15.5
-
cpe:2.3:a:hashicorp:vault:1.15.7