Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
Metrics
Affected Vendors & Products
References
History
Fri, 27 Sep 2024 01:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Thu, 26 Sep 2024 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Hashicorp
Hashicorp vault Community Edition Hashicorp vault Enterprise |
|
CPEs | cpe:2.3:a:hashicorp:vault_community_edition:*:*:*:*:*:*:*:* cpe:2.3:a:hashicorp:vault_enterprise:*:*:*:*:*:*:*:* |
|
Vendors & Products |
Hashicorp
Hashicorp vault Community Edition Hashicorp vault Enterprise |
|
Metrics |
ssvc
|
Thu, 26 Sep 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Vault’s SSH secrets engine did not require the {{valid_principals}} list to contain a value by default. If the {{valid_principals}} and {{default_user}} fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. | Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. |
Thu, 26 Sep 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Vault’s SSH secrets engine did not require the {{valid_principals}} list to contain a value by default. If the {{valid_principals}} and {{default_user}} fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. | |
Title | Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default | |
Weaknesses | CWE-732 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: HashiCorp
Published: 2024-09-26T19:52:55.652Z
Updated: 2024-09-26T20:29:58.984Z
Reserved: 2024-08-07T17:46:31.343Z
Link: CVE-2024-7594
Vulnrichment
Updated: 2024-09-26T20:27:27.031Z
NVD
Status : Awaiting Analysis
Published: 2024-09-26T20:15:07.687
Modified: 2024-09-30T12:46:20.237
Link: CVE-2024-7594
Redhat