Input validation error in Vault and Vault Enterprise - CVE-2021-3024
Published: February 1, 2021 / Updated: February 26, 2021
Vulnerability identifier: #VU50454
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-3024
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: HashiCorp
Affected software:
Vault
Vault Enterprise
Vault
Vault Enterprise
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests.
How to mitigate CVE-2021-3024
Install update from vendor's website.