SB2024050866 - Inclusion of sensitive information into log files in HashiCorp Vault Enterprise
Published: May 8, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-2877)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores request headers into log files when configured with both performance standby nodes and an audit device. A local user can read the log files and gain access to sensitive data.
Remediation
Install update from vendor's website.