Home > Vulnerability Database > CVE-2024-8365

Mend.io Vulnerability Database

CVE-2024-8365

Good to know:

Date: September 1, 2024

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

Language: Go

Severity Score

6.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-8365

Url: https://github.com/advisories/GHSA-jjxf-26c9-77gm

Url: https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices

Url: https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/

Url: github.com/hashicorp/vault

Url: https://www.mend.io/vulnerability-database/CVE-2024-8365

Severity Score

6.2

Weakness Type (CWE)

Information Exposure Through Log Files

CWE-532

Top Fix

Upgrade Version

Upgrade to version github.com/hashicorp/vault-v1.17.5

Learn More

CVSS v3.1

Base Score:	6.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-8365

Good to know:

Date: September 1, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?