Main Vulnerability Database Vulnerabilities #VU89271

Inclusion of Sensitive Information in Log Files in Vault Enterprise - CVE-2024-2877

Published: May 8, 2024

Vulnerability identifier: #VU89271

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-2877

CWE-ID: CWE-532

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Vault Enterprise

Software vendor:
HashiCorp

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores request headers into log files when configured with both performance standby nodes and an audit device. A local user can read the log files and gain access to sensitive data.

Remediation

Install updates from vendor's website.

External links

https://discuss.hashicorp.com/t/hsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node

Inclusion of Sensitive Information in Log Files in Vault Enterprise - CVE-2024-2877

Description

Remediation

External links

Please verify you're human