Vulnerability-Lookup

CVE-2024-2660 (GCVE-0-2024-2660)

Vulnerability from cvelistv5 – Published: 2024-04-04 17:55 – Updated: 2024-09-26 00:13

Title

Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Summary

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-636 - Not Failing Securely (Failing Open)

Assigner

HashiCorp

References

URL

Tags

https://discuss.hashicorp.com/t/hcsec-2024-07-vau…

Impacted products

Vendor

Product

Version

HashiCorp

Vault

Affected: 1.14.0 , < 1.16.0 (semver)

HashiCorp

Vault Enterprise

Affected: 1.14.0 , < 1.16.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2660",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-09T16:05:40.204182Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:29:09.743Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:18:48.125Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240524-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.16.0",
              "status": "affected",
              "version": "1.14.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.14.11",
                  "status": "unaffected"
                },
                {
                  "at": "1.15.7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.16.0",
              "status": "affected",
              "version": "1.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-26",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-26: Leveraging Race Conditions"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-636",
              "description": "CWE-636: Not Failing Securely (Failing Open)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-26T00:13:17.242Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
        }
      ],
      "source": {
        "advisory": "HCSEC-2024-07",
        "discovery": "INTERNAL"
      },
      "title": "Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2024-2660",
    "datePublished": "2024-04-04T17:55:20.192Z",
    "dateReserved": "2024-03-19T17:34:27.401Z",
    "dateUpdated": "2024-09-26T00:13:17.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240524-0007/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:18:48.125Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2660\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-09T16:05:40.204182Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.689Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses\", \"source\": {\"advisory\": \"HCSEC-2024-07\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-26\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-26: Leveraging Race Conditions\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/hashicorp/vault\", \"vendor\": \"HashiCorp\", \"product\": \"Vault\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.14.0\", \"lessThan\": \"1.16.0\", \"versionType\": \"semver\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/hashicorp/vault\", \"vendor\": \"HashiCorp\", \"product\": \"Vault Enterprise\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"1.14.11\", \"status\": \"unaffected\"}, {\"at\": \"1.15.7\", \"status\": \"unaffected\"}], \"version\": \"1.14.0\", \"lessThan\": \"1.16.0\", \"versionType\": \"semver\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eVault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.\u003c/p\u003e\u003cbr/\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-636\", \"description\": \"CWE-636: Not Failing Securely (Failing Open)\"}]}], \"providerMetadata\": {\"orgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"shortName\": \"HashiCorp\", \"dateUpdated\": \"2024-09-26T00:13:17.242Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-2660\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T00:13:17.242Z\", \"dateReserved\": \"2024-03-19T17:34:27.401Z\", \"assignerOrgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"datePublished\": \"2024-04-04T17:55:20.192Z\", \"assignerShortName\": \"HashiCorp\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CVE-2024-2660

Vulnerability from fstec - Published: 04.04.2024

Title

Уязвимость компонента проверки сертификатов TLS платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю обойти процесс аутентификации

Description

Уязвимость компонента проверки протокола TLS платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise связана с некорректной обработкой исключительных состояний. Эксплуатация уязвимости может позволить нарушителю обойти процесс аутентификации

Severity ?


                    
                      AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Vendor

ООО «Ред Софт», HashiCorp

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), Vault Enterprise, Vault

Software Version

7.3 (РЕД ОС), до 1.15.7 (Vault Enterprise), до 1.16.1 (Vault Enterprise), до 1.14.11 (Vault Enterprise), до 1.16.0 (Vault)

Possible Mitigations

Использование рекомендаций: https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573 Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573 https://vuldb.com/ru/?id.259402 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-703

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:H/Au:M/C:C/I:C/A:C",
  "CVSS 3.0": "AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, HashiCorp",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 1.15.7 (Vault Enterprise), \u0434\u043e 1.16.1 (Vault Enterprise), \u0434\u043e 1.14.11 (Vault Enterprise), \u0434\u043e 1.16.0 (Vault)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "04.04.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.08.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.04.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-03127",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-2660",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Vault Enterprise, Vault",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 TLS \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 HashiCorp Vault \u0438 Vault Enterprise, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0438\u043b\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0439 (CWE-703)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 TLS  \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 HashiCorp Vault \u0438 Vault Enterprise \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0439 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u043e\u0439 \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u043e\u043a\u0430\u043c\u0438 \u0438 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573\nhttps://vuldb.com/ru/?id.259402\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-703",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)"
}

GHSA-J2RP-GMQV-FRHV

Vulnerability from github – Published: 2024-04-04 18:30 – Updated: 2024-09-26 16:45

Summary

HashiCorpVault does not correctly validate OCSP responses

Details

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-636",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-04T22:10:49Z",
    "nvd_published_at": "2024-04-04T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.",
  "id": "GHSA-j2rp-gmqv-frhv",
  "modified": "2024-09-26T16:45:51Z",
  "published": "2024-04-04T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2660"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorpVault does not correctly validate OCSP responses"
}

GSD-2024-2660

Vulnerability from gsd - Updated: 2024-04-02 05:02

Details

Aliases

CVE-2024-2660

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-2660"
      ],
      "details": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.",
      "id": "GSD-2024-2660",
      "modified": "2024-04-02T05:02:53.313730Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@hashicorp.com",
        "ID": "CVE-2024-2660",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Vault",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.14.0",
                          "version_value": "1.16.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Vault Enterprise",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected",
                            "versions": [
                              {
                                "changes": [
                                  {
                                    "at": "1.14.11",
                                    "status": "unaffected"
                                  },
                                  {
                                    "at": "1.15.7",
                                    "status": "unaffected"
                                  }
                                ],
                                "lessThan": "1.16.0",
                                "status": "affected",
                                "version": "1.14.0",
                                "versionType": "semver"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "HashiCorp"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-703",
                "lang": "eng",
                "value": "CWE-703: Improper Check or Handling of Exceptional Conditions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573",
            "refsource": "MISC",
            "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
          }
        ]
      },
      "source": {
        "advisory": "HCSEC-2024-07",
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."
          }
        ],
        "id": "CVE-2024-2660",
        "lastModified": "2024-04-04T19:24:50.670",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 0.5,
              "impactScore": 5.9,
              "source": "security@hashicorp.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-04T18:15:14.783",
        "references": [
          {
            "source": "security@hashicorp.com",
            "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
          }
        ],
        "sourceIdentifier": "security@hashicorp.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-703"
              }
            ],
            "source": "security@hashicorp.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-2660

Vulnerability from fkie_nvd - Published: 2024-04-04 18:15 - Updated: 2025-08-08 19:00

Severity ?

6.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@hashicorp.com	https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20240524-0007/	Third Party Advisory

Impacted products

Vendor	Product	Version
hashicorp	vault	*
hashicorp	vault	*
hashicorp	vault	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "2E2AB795-72DA-4047-B600-A43AD9B8AF52",
              "versionEndExcluding": "1.14.11",
              "versionStartIncluding": "1.14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "FA85F169-F4FE-4280-A6C9-7BCFB08999F0",
              "versionEndExcluding": "1.16.0",
              "versionStartIncluding": "1.14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "77F82E35-73F4-42BF-9A7F-4D095ECAAFEE",
              "versionEndExcluding": "1.15.7",
              "versionStartIncluding": "1.15.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo de autenticaci\u00f3n de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o m\u00e1s or\u00edgenes de OCSP. Se corrigi\u00f3 en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11."
    }
  ],
  "id": "CVE-2024-2660",
  "lastModified": "2025-08-08T19:00:18.940",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "security@hashicorp.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-04-04T18:15:14.783",
  "references": [
    {
      "source": "security@hashicorp.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240524-0007/"
    }
  ],
  "sourceIdentifier": "security@hashicorp.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-636"
        }
      ],
      "source": "security@hashicorp.com",
      "type": "Secondary"
    }
  ]
}

bit-vault-2024-2660

Vulnerability from bitnami_vulndb

Published

2024-05-01 07:38

Modified

2025-08-11 00:06

Summary

Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "vault",
        "purl": "pkg:bitnami/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2660"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*",
      "cpe:2.3:a:hashicorp:vault:*:*:*:*:*:go:*:*",
      "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:go:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.",
  "id": "BIT-vault-2024-2660",
  "modified": "2025-08-11T00:06:06.142Z",
  "published": "2024-05-01T07:38:05.608Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-07-vault-tls-cert-auth-method-did-not-correctly-validate-ocsp-responses/64573"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0007/"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2660"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-2660 (GCVE-0-2024-2660)

CVE-2024-2660

GHSA-J2RP-GMQV-FRHV

GSD-2024-2660

FKIE_CVE-2024-2660

bit-vault-2024-2660

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature