CVE-2024-8365

MEDIUM

Vault <1.17.5 - Info Disclosure

Title source: llm

Description

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

References (1)

[Vendor Advisory] https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/

Scores

CVSS v3 6.2

EPSS 0.0035

EPSS Percentile 57.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (3)

hashicorp/vault < 1.16.9

hashicorp/vault < 1.17.5

hashicorp/vault 1.17.3 - 1.17.5Go

Published Sep 02, 2024

Tracked Since Feb 18, 2026