CVE-2024-8365

MEDIUM

HashiCorp Vault < 1.16.9, < 1.17.5 - Sensitive Information Disclosure in Audit Logs

Title source: llm

Description

Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2024-18-vault-leaks-client-token-and-token-accessor-in-audit-devices/

Scores

CVSS v3 6.2

EPSS 0.0047

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (3)

hashicorp/vault < 1.16.9

hashicorp/vault < 1.17.5

hashicorp/vault 1.17.3 - 1.17.5Go

Published Sep 02, 2024

Tracked Since Feb 18, 2026