CVE-2024-0831 - Vulnerability Details

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hashicorp	Vault

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:vault::::::::
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*

No data.

References

Link	Providers
https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration
https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311
https://nvd.nist.gov/vuln/detail/CVE-2024-0831
https://security.netapp.com/advisory/ntap-20240223-0005/
https://www.cve.org/CVERecord?id=CVE-2024-0831

History

No history.

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-02-01T01:41:33.801Z

Updated: 2025-02-13T17:27:29.010Z

Reserved: 2024-01-23T17:42:40.228Z

Link: CVE-2024-0831

Vulnrichment

Updated: 2024-08-01T18:18:18.883Z

NVD

Status : Modified

Published: 2024-02-01T02:15:46.330

Modified: 2024-11-21T08:47:28.063

Link: CVE-2024-0831

Redhat

Severity : Moderate

Publid Date: 2024-02-01T00:00:00Z

Links: CVE-2024-0831 - Bugzilla

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0831", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-01-23T17:42:40.228Z", "datePublished": "2024-02-01T01:41:33.801Z", "dateUpdated": "2025-02-13T17:27:29.010Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-02-23T16:06:01.441Z"}, "title": "Vault May Expose Sensitive Information When Configuring An Audit Log Device", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-268", "descriptions": [{"lang": "en", "value": "CAPEC-268 Audit Log Manipulation"}]}], "affected": [{"vendor": "HashiCorp", "product": "Vault", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "repo": "https://github.com/hashicorp/vault", "versions": [{"status": "affected", "version": "1.15.0", "lessThanOrEqual": "1.15.4", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Vault Enterprise", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "versions": [{"status": "affected", "version": "1.15.0", "lessThanOrEqual": "1.15.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise (\u201cVault\u201d) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><span style=\"background-color: transparent;\">Vault and Vault Enterprise (\u201cVault\u201d) </span><span style=\"background-color: rgb(255, 255, 255);\">may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.</span></p><br><br>"}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311"}, {"url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration"}, {"url": "https://security.netapp.com/advisory/ntap-20240223-0005/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"}}], "source": {"discovery": "INTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0831", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-01T14:27:53.989443Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:51.524Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:18:18.883Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311", "tags": ["x_transferred"]}, {"url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240223-0005/", "tags": ["x_transferred"]}]}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-0831 (string)

assignerOrgId : 67fedba0-ff2e-4543-ba5b-aa93e87718cc (string)

state : PUBLISHED (string)

assignerShortName : HashiCorp (string)

dateReserved : 2024-01-23T17:42:40.228Z (string)

datePublished : 2024-02-01T01:41:33.801Z (string)

dateUpdated : 2025-02-13T17:27:29.010Z (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 67fedba0-ff2e-4543-ba5b-aa93e87718cc (string)

shortName : HashiCorp (string)

dateUpdated : 2024-02-23T16:06:01.441Z (string)

}

title : Vault May Expose Sensitive Information When Configuring An Audit Log Device (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

cweId : CWE-532 (string)

description : CWE-532: Insertion of Sensitive Information into Log File (string)

type : CWE (string)

}

]

}

]

impacts : [ »

0 : { »

capecId : CAPEC-268 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : CAPEC-268 Audit Log Manipulation (string)

}

]

}

]

affected : [ »

0 : { »

vendor : HashiCorp (string)

product : Vault (string)

platforms : [ »

0 : Windows (string)

1 : MacOS (string)

2 : Linux (string)

3 : x86 (string)

4 : ARM (string)

5 : 64 bit (string)

6 : 32 bit (string)

]

repo : https://github.com/hashicorp/vault (string)

versions : [ »

0 : { »

status : affected (string)

version : 1.15.0 (string)

lessThanOrEqual : 1.15.4 (string)

versionType : semver (string)

}

]

defaultStatus : unaffected (string)

}

1 : { »

vendor : HashiCorp (string)

product : Vault Enterprise (string)

platforms : [ »

0 : Windows (string)

1 : MacOS (string)

2 : Linux (string)

3 : x86 (string)

4 : ARM (string)

5 : 64 bit (string)

6 : 32 bit (string)

]

versions : [ »

0 : { »

status : affected (string)

version : 1.15.0 (string)

lessThanOrEqual : 1.15.4 (string)

versionType : semver (string)

}

]

defaultStatus : unaffected (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`. (string)

supportingMedia : [ »

0 : { »

type : text/html (string)

base64 : false (boolean)

value : Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`. (string)

}

]

}

]

references : [ »

0 : { »

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

}

1 : { »

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

}

2 : { »

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

}

]

metrics : [ »

0 : { »

format : CVSS (string)

scenarios : [ »

0 : { »

lang : en (string)

value : GENERAL (string)

}

]

cvssV3_1 : { »

version : 3.1 (string)

attackVector : NETWORK (string)

attackComplexity : LOW (string)

privilegesRequired : HIGH (string)

userInteraction : REQUIRED (string)

scope : UNCHANGED (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

availabilityImpact : NONE (string)

baseSeverity : MEDIUM (string)

baseScore : 4.5 (number)

vectorString : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

}

]

source : { »

discovery : INTERNAL (string)

}

adp : [ »

0 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-0831 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-02-01T14:27:53.989443Z (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-07-05T17:22:51.524Z (string)

}

1 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-01T18:18:18.883Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311", "tags": ["x_transferred"]}, {"url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240223-0005/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:18:18.883Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0831", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-01T14:27:53.989443Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:44.182Z"}}], "cna": {"title": "Vault May Expose Sensitive Information When Configuring An Audit Log Device", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-268", "descriptions": [{"lang": "en", "value": "CAPEC-268 Audit Log Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault", "versions": [{"status": "affected", "version": "1.15.0", "versionType": "semver", "lessThanOrEqual": "1.15.4"}], "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Vault Enterprise", "versions": [{"status": "affected", "version": "1.15.0", "versionType": "semver", "lessThanOrEqual": "1.15.4"}], "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311"}, {"url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration"}, {"url": "https://security.netapp.com/advisory/ntap-20240223-0005/"}], "descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise (\u201cVault\u201d) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.", "supportingMedia": [{"type": "text/html", "value": "<p><span style=\"background-color: transparent;\">Vault and Vault Enterprise (\u201cVault\u201d) </span><span style=\"background-color: rgb(255, 255, 255);\">may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.</span></p><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-02-01T16:07:23.308Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0831", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:18:18.883Z", "dateReserved": "2024-01-23T17:42:40.228Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2024-02-01T01:41:33.801Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-01T18:18:18.883Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-0831 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-02-01T14:27:53.989443Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-07-05T15:20:44.182Z (string)

}

]

cna : { »

title : Vault May Expose Sensitive Information When Configuring An Audit Log Device (string)

source : { »

discovery : INTERNAL (string)

}

impacts : [ »

0 : { »

capecId : CAPEC-268 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : CAPEC-268 Audit Log Manipulation (string)

}

]

}

]

metrics : [ »

0 : { »

format : CVSS (string)

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 4.5 (number)

attackVector : NETWORK (string)

baseSeverity : MEDIUM (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

integrityImpact : NONE (string)

userInteraction : REQUIRED (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : HIGH (string)

confidentialityImpact : HIGH (string)

}

scenarios : [ »

0 : { »

lang : en (string)

value : GENERAL (string)

}

]

}

]

affected : [ »

0 : { »

repo : https://github.com/hashicorp/vault (string)

vendor : HashiCorp (string)

product : Vault (string)

versions : [ »

0 : { »

status : affected (string)

version : 1.15.0 (string)

versionType : semver (string)

lessThanOrEqual : 1.15.4 (string)

}

]

platforms : [ »

0 : Windows (string)

1 : MacOS (string)

2 : Linux (string)

3 : x86 (string)

4 : ARM (string)

5 : 64 bit (string)

6 : 32 bit (string)

]

defaultStatus : unaffected (string)

}

1 : { »

vendor : HashiCorp (string)

product : Vault Enterprise (string)

versions : [ »

0 : { »

status : affected (string)

version : 1.15.0 (string)

versionType : semver (string)

lessThanOrEqual : 1.15.4 (string)

}

]

platforms : [ »

0 : Windows (string)

1 : MacOS (string)

2 : Linux (string)

3 : x86 (string)

4 : ARM (string)

5 : 64 bit (string)

6 : 32 bit (string)

]

defaultStatus : unaffected (string)

}

]

references : [ »

0 : { »

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

}

1 : { »

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

}

2 : { »

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

supportingMedia : [ »

0 : { »

type : text/html (string)

base64 : false (boolean)

}

]

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-532 (string)

description : CWE-532: Insertion of Sensitive Information into Log File (string)

}

]

}

]

providerMetadata : { »

orgId : 67fedba0-ff2e-4543-ba5b-aa93e87718cc (string)

shortName : HashiCorp (string)

dateUpdated : 2024-02-01T16:07:23.308Z (string)

}

cveMetadata : { »

cveId : CVE-2024-0831 (string)

state : PUBLISHED (string)

dateUpdated : 2024-08-01T18:18:18.883Z (string)

dateReserved : 2024-01-23T17:42:40.228Z (string)

assignerOrgId : 67fedba0-ff2e-4543-ba5b-aa93e87718cc (string)

datePublished : 2024-02-01T01:41:33.801Z (string)

assignerShortName : HashiCorp (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*", "matchCriteriaId": "459B7BA3-5070-4686-9DDD-D3B8ADED0DF8", "versionEndExcluding": "1.15.5", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B92203A3-1C92-430B-8008-A4FC4745DEEE", "versionEndExcluding": "1.15.5", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vault and Vault Enterprise (\u201cVault\u201d) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`."}, {"lang": "es", "value": "Vault y Vault Enterprise (\u201cVault\u201d) pueden exponer informaci\u00f3n confidencial al habilitar un dispositivo de auditor\u00eda que especifica la opci\u00f3n `log_raw`, que puede registrar informaci\u00f3n confidencial en otros dispositivos de auditor\u00eda, independientemente de si est\u00e1n configurados para usar `log_raw`."}], "id": "CVE-2024-0831", "lastModified": "2024-11-21T08:47:28.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-01T02:15:46.330", "references": [{"source": "security@hashicorp.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration"}, {"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311"}, {"source": "security@hashicorp.com", "url": "https://security.netapp.com/advisory/ntap-20240223-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240223-0005/"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@hashicorp.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 459B7BA3-5070-4686-9DDD-D3B8ADED0DF8 (string)

versionEndExcluding : 1.15.5 (string)

versionStartIncluding : 1.15.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : B92203A3-1C92-430B-8008-A4FC4745DEEE (string)

versionEndExcluding : 1.15.5 (string)

versionStartIncluding : 1.15.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

}

1 : { »

lang : es (string)

value : Vault y Vault Enterprise (“Vault”) pueden exponer información confidencial al habilitar un dispositivo de auditoría que especifica la opción `log_raw`, que puede registrar información confidencial en otros dispositivos de auditoría, independientemente de si están configurados para usar `log_raw`. (string)

}

]

id : CVE-2024-0831 (string)

lastModified : 2024-11-21T08:47:28.063 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 0.9 (number)

impactScore : 3.6 (number)

source : security@hashicorp.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2024-02-01T02:15:46.330 (string)

references : [ »

0 : { »

source : security@hashicorp.com (string)

tags : [ »

0 : Exploit (string)

1 : Vendor Advisory (string)

]

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

}

1 : { »

source : security@hashicorp.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

}

2 : { »

source : security@hashicorp.com (string)

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Vendor Advisory (string)

]

url : https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : https://security.netapp.com/advisory/ntap-20240223-0005/ (string)

}

]

sourceIdentifier : security@hashicorp.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-532 (string)

}

]

source : security@hashicorp.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-532 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "vault: sensitive information disclosure", "id": "2262236", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262236"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-532", "details": ["Vault and Vault Enterprise (\u201cVault\u201d) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.", "A sensitive information disclosure vulnerability was found in Hashicorp Vault. Enabling an audit device that specifies the `log_raw` option may log sensitive information to oth"], "name": "CVE-2024-0831", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Not affected", "package_name": "cert-manager/jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-contour-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Not affected", "package_name": "rhods/odh-ml-pipelines-cache-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}], "public_date": "2024-02-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-0831\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0831\nhttps://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration"], "threat_severity": "Moderate"}

{

bugzilla : { »

description : vault: sensitive information disclosure (string)

id : 2262236 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2262236 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 4.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

status : draft (string)

}

cwe : CWE-532 (string)

details : [ »

0 : Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`. (string)

1 : A sensitive information disclosure vulnerability was found in Hashicorp Vault. Enabling an audit device that specifies the `log_raw` option may log sensitive information to oth (string)

]

name : CVE-2024-0831 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:cert_manager:1 (string)