Vault TLS Auth OCSP Validation Flaw v1.14.0-<1.16.0
CVE-2024-2660 Published on April 4, 2024
Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Weakness Type
What is a Failing Open Vulnerability?
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."
CVE-2024-2660 has been classified to as a Failing Open vulnerability or weakness.
Products Associated with CVE-2024-2660
Want to know whenever a new CVE is published for HashiCorp Vault? stack.watch will email you.
Affected Versions
HashiCorp Vault:- Version 1.14.0 and below 1.16.0 is affected.
- Version 1.14.0 and below 1.16.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.