{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9180", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-09-25T18:00:56.306Z", "datePublished": "2024-10-10T20:54:57.084Z", "dateUpdated": "2024-11-08T22:27:31.042Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"lessThan": "1.18.0", "status": "affected", "version": "0.10.4", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Vault Enterprise", "repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.17.7", "status": "unaffected"}, {"at": "1.16.10", "status": "unaffected"}, {"at": "1.15.16", "status": "unaffected"}], "lessThan": "1.18.0", "status": "affected", "version": "0.10.4", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.</p><br/>"}], "value": "A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233: Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-10-18T19:48:21.134Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"}], "source": {"advisory": "HCSEC-2024-21", "discovery": "INTERNAL"}, "title": "Vault Operators in Root Namespace May Elevate Their Privileges"}, "adp": [{"affected": [{"vendor": "hashicorp", "product": "vault", "cpes": ["cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0.10.4", "status": "affected", "lessThan": "1.18.0", "versionType": "semver"}]}, {"vendor": "hashicorp", "product": "vault", "cpes": ["cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0.10.4", "status": "affected", "lessThan": "1.18.0", "versionType": "semver"}, {"version": "1.17.7", "status": "unaffected"}, {"version": "1.16.11", "status": "unaffected"}, {"version": "1.15.16", "status": "unaffected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T15:34:50.417514Z", "id": "CVE-2024-9180", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T22:27:31.042Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9180", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-11T15:34:50.417514Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*"], "vendor": "hashicorp", "product": "vault", "versions": [{"status": "affected", "version": "0.10.4", "lessThan": "1.18.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*"], "vendor": "hashicorp", "product": "vault", "versions": [{"status": "affected", "version": "0.10.4", "lessThan": "1.18.0", "versionType": "semver"}, {"status": "unaffected", "version": "1.17.7"}, {"status": "unaffected", "version": "1.16.11"}, {"status": "unaffected", "version": "1.15.16"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T15:40:37.841Z"}}], "cna": {"title": "Vault Operators in Root Namespace May Elevate Their Privileges", "source": {"advisory": "HCSEC-2024-21", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233: Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault", "versions": [{"status": "affected", "version": "0.10.4", "lessThan": "1.18.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/vault", "vendor": "HashiCorp", "product": "Vault Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.17.7", "status": "unaffected"}, {"at": "1.16.10", "status": "unaffected"}, {"at": "1.15.16", "status": "unaffected"}], "version": "0.10.4", "lessThan": "1.18.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"}], "descriptions": [{"lang": "en", "value": "A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.", "supportingMedia": [{"type": "text/html", "value": "<p>A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-10-18T19:48:21.134Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9180", "state": "PUBLISHED", "dateUpdated": "2024-11-08T22:27:31.042Z", "dateReserved": "2024-09-25T18:00:56.306Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2024-10-10T20:54:57.084Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "7C3A4160-F4D5-4447-B637-ADB46ECA6191", "versionEndIncluding": "1.17.7", "versionStartIncluding": "1.7.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "B1A3560F-6E15-4CB4-AD63-019E7C499369", "versionEndExcluding": "1.18.0", "versionStartIncluding": "1.7.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6A11834C-76C4-4D8A-8493-D2331334B823", "versionEndExcluding": "1.15.16", "versionStartIncluding": "1.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "137EE5AE-4532-40C5-AAFD-45BC897A216C", "versionEndExcluding": "1.16.11", "versionStartIncluding": "1.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16."}, {"lang": "es", "value": "Un operador de Vault privilegiado con permisos de escritura en el endpoint de identidad del espacio de nombres ra\u00edz podr\u00eda escalar sus privilegios a la pol\u00edtica ra\u00edz de Vault. Corregido en Vault Community Edition 1.18.0 y Vault Enterprise 1.18.0, 1.17.7, 1.16.11 y 1.15.16."}], "id": "CVE-2024-9180", "lastModified": "2024-10-18T20:15:03.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2024-10-10T21:15:05.010", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-266"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "hashicorp/vault: Vault Operators in Root Namespace May Elevate Their Privileges", "id": "2317923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317923"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.", "A flaw was found in HashiCorp Vault. This vulnerability allows a privileged Vault operator with write permissions to the root namespace's identity endpoint to escalate their privileges to Vault\u2019s root policy.\nA misconfiguration in Vault allows a privileged operator (someone with write permissions on the root namespace\u2019s identity endpoint) to elevate privileges\u2014either their own or another user\u2019s\u2014to the root policy level, effectively giving full administrative control."], "mitigation": {"lang": "en:us", "value": "This CVE can be mitigated by the following:\n* Upgrade to a version of Vault that has the fix.\n* Restrict write access to the root namespace\u2019s identity endpoint.\n* Implement least privilege policies (e.g., via Sentinel) that limit what root-namespace operators can do.\n* Monitor audit logs: check for any \u201cidentity_policy\u201d entries containing \u201croot\u201d to detect suspicious privilege escalations."}, "name": "CVE-2024-9180", "package_state": [{"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2024-10-10T20:54:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9180\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9180\nhttps://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"], "threat_severity": "Important"}

{}