Описание
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.
This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9
A flaw was found in Hashicorp Vault. Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This issue may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-metrics-exporter-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-must-gather-rhel8 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/ocs-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-rhel8-operator | Affected | ||
| Red Hat Trusted Application Pipeline | rhtap-contract-tenant/cli-v02 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
2.6 Low
CVSS3
Связанные уязвимости
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9
HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
Уязвимость платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, связанная с неправильной аутентификацией, позволяющая нарушителю обойти существующие ограничения безопасности
2.6 Low
CVSS3