CVE-2024-2660 MEDIUM

CVE-2024-2660: Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Vendor Hashicorp
Product Vault
Weakness CWE-636
Published April 4, 2024
Last update September 26, 2024

CVSS base score

6.4/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
September 26, 2024 Record updated