Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-2660

Опубликовано: 04 апр. 2024
Источник: redhat
CVSS3: 6.4
EPSS Низкий

Описание

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

A flaw was found in the OCSP response handling logic of Vault’s TLS certificate authentication method. This issue may result in signatures and responses from multiple servers not being handled properly. A malicious actor with privileged network access may be able to successfully authenticate via Vault’s TLS certificate authentication method with incorrect certificate status information.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Openshift Container Storage 4ocs4/cephcsi-rhel8Not affected
Red Hat Openshift Container Storage 4ocs4/mcg-rhel8-operatorNot affected
Red Hat Openshift Container Storage 4ocs4/ocs-rhel8-operatorNot affected
Red Hat Openshift Container Storage 4ocs4/rook-ceph-rhel8-operatorNot affected
Red Hat Openshift Data Foundation 4odf4/cephcsi-rhel9Not affected
Red Hat Openshift Data Foundation 4odf4/mcg-cli-rhel9Not affected
Red Hat Openshift Data Foundation 4odf4/mcg-rhel9-operatorNot affected
Red Hat Openshift Data Foundation 4odf4/ocs-rhel9-operatorNot affected
Red Hat Openshift Data Foundation 4odf4/odf-cli-rhel9Not affected
Red Hat Openshift Data Foundation 4odf4/odf-multicluster-rhel9-operatorNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-703
https://bugzilla.redhat.com/show_bug.cgi?id=2273634Vault: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

EPSS

Процентиль: 5%
0.00025
Низкий

6.4 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-2660

CVSS3: 6.4
nvd
около 1 года назад

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

github логотип

GHSA-j2rp-gmqv-frhv

CVSS3: 6.4
github
около 1 года назад

HashiCorpVault does not correctly validate OCSP responses

fstec логотип

BDU:2024-03127

CVSS3: 6.4
fstec
около 1 года назад

Уязвимость компонента проверки сертификатов TLS платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю обойти процесс аутентификации

redos логотип

ROS-20240805-04

CVSS3: 8.1
redos
11 месяцев назад

Множественные уязвимости vault

EPSS

Процентиль: 5%
0.00025
Низкий

6.4 Medium

CVSS3

Уязвимость CVE-2024-2660