Vault 1.17.5/1.16.9 HMAC Audit Log Regression CVE-2024-8365
CVE-2024-8365 Published on September 2, 2024
Vault Leaks AppRole Client Tokens And Accessor in Audit Log
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMACd sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Products Associated with CVE-2024-8365
Want to know whenever a new CVE is published for HashiCorp Vault? stack.watch will email you.
Affected Versions
HashiCorp Vault:- Version 1.17.3 and below 1.17.5 is affected.
- Version 1.16.7 and below 1.17.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.