Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were…
HashiCorp·CWE-636·Published 2024-04-04
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
El método de autenticación de los certificados TLS de Vault y Vault Enterprise no validaba correctamente las respuestas de OCSP cuando se configuraban uno o más orígenes de OCSP. Se corrigió en Vault 1.16.0 y Vault Enterprise 1.16.1, 1.15.7 y 1.14.11.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 6.8 | 0.9 | 5.9 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 6.4 | — | — | CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 6.4 | — | — | CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 6.4 | 0.5 | 5.9 | CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |