A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
History

Fri, 18 Oct 2024 20:00:00 +0000

Type Values Removed Values Added
Description A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16. A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.

Thu, 17 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*

Fri, 11 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
Vendors & Products Hashicorp
Hashicorp vault
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 11 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 10 Oct 2024 21:00:00 +0000

Type Values Removed Values Added
Description A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
Title Vault Operators in Root Namespace May Elevate Their Privileges
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-10-10T20:54:57.084Z

Updated: 2024-11-08T22:27:31.042Z

Reserved: 2024-09-25T18:00:56.306Z

Link: CVE-2024-9180

cve-icon Vulnrichment

Updated: 2024-10-11T15:40:37.841Z

cve-icon NVD

Status : Modified

Published: 2024-10-10T21:15:05.010

Modified: 2024-10-18T20:15:03.393

Link: CVE-2024-9180

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-10T20:54:57Z

Links: CVE-2024-9180 - Bugzilla