Inclusion of Sensitive Information in Log Files in Vault Enterprise - CVE-2024-2877

 

Inclusion of Sensitive Information in Log Files in Vault Enterprise - CVE-2024-2877

Published: May 8, 2024


Vulnerability identifier: #VU89271
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-2877
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: HashiCorp
Affected software:
Vault Enterprise

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores request headers into log files when configured with both performance standby nodes and an audit device. A local user can read the log files and gain access to sensitive data.


How to mitigate CVE-2024-2877

Install updates from vendor's website.

Sources