Inclusion of Sensitive Information in Log Files in Vault Enterprise - CVE-2024-2877
Published: May 8, 2024
Vulnerability identifier: #VU89271
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-2877
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: HashiCorp
Affected software:
Vault Enterprise
Vault Enterprise
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores request headers into log files when configured with both performance standby nodes and an audit device. A local user can read the log files and gain access to sensitive data.
How to mitigate CVE-2024-2877
Install updates from vendor's website.