OCSP Response Validation Fix for Vault and Vault Enterprise TLS Certificates

CVE-2024-2660

6.4MEDIUM

Key Information

Vendor: Hashicorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 4 April 2024

Summary

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Affected Version(s)

Vault < 1.16.0

Vault Enterprise < 1.16.0

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.4 - (MEDIUM)
Jun 10, 2024
Vulnerability published.
Apr 4, 2024

Collectors

NVD DatabaseMitre Database